CVE-2026-32709

MEDIUM

5.4

Description

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.

Details CVE

Score CVSS v3.15.4

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vecteur d'attaqueADJACENT_NETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie3/16/2026

Derniere modification3/16/2026

Sourcenvd

Observations honeypot0

Produits affectes

dronecode:px4_drone_autopilot

Faiblesses (CWE)

CWE-22

References

https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-fh32-qxj9-x32f(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.