Skip to main content

DroneAware CVE-2026-48117

MEDIUM
Improper Authentication (CWE-287)
2026-06-17 GitHub_M
6.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.8 MEDIUM

AC:H reflects the timing prerequisite of registering before the victim; UI:R captures required victim activation; C:H/I:H reflect full account takeover; A:N as availability is unaffected.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:31 vuln.today

DescriptionCVE.org

DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable.

AnalysisAI

Account pre-hijacking in the centralized droneaware.io cloud platform allowed unauthenticated attackers to register an account using a victim's email address with an attacker-controlled password prior to the victim completing account activation. Once the legitimate owner activated their account - either via an email verification link or by authenticating through Google SSO - the attacker-set password remained fully valid, granting silent and persistent account takeover with no notification to the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target's email address before they register
Delivery
Register account at droneaware.io with victim's email and attacker-controlled password
Exploit
Wait for victim to activate account via email link or Google SSO
Execution
Platform activates account without invalidating attacker credential
Impact
Attacker logs in with pre-set password for persistent, silent account control

Vulnerability AssessmentAI

Exploitation The attacker must know the victim's email address before the victim completes account registration on droneaware.io. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.8 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N accurately reflects the dual constraint on this vulnerability: the attack is fully remote and requires no attacker privileges (PR:N), but both AC:H and UI:R significantly limit exploitability in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows a target's email address (e.g., from a corporate directory, public profile, or phishing intelligence) registers a new DroneAware account at droneaware.io using that email before the victim does, supplying an attacker-controlled password. When the legitimate user later signs up and activates their account - either by clicking the email verification link or by authenticating via Google SSO - the platform activates the account without invalidating or replacing the attacker-set credential. …
Remediation The vendor deployed a server-side fix to the centralized droneaware.io backend on 2025-05-20; no client-side action, patch installation, or configuration change is required by users. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy