CVE-2026-32709 in PX4-Autopilot
Summary
by MITRE • 03/16/2026
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/16/2026
The CVE-2026-32709 vulnerability represents a critical path traversal flaw in the PX4 autopilot system's MAVLink File Transfer Protocol implementation, affecting versions prior to 1.17.0-rc2. This vulnerability specifically targets the flight control solution used in drone systems, where the MAVLink FTP service lacks proper authentication mechanisms while simultaneously exposing critical filesystem operations to unauthenticated attackers. The flaw manifests through improper input validation and sanitization of file paths, creating a direct pathway for malicious actors to manipulate the underlying filesystem without requiring any credentials or authorization. The vulnerability impacts both NuttX and POSIX targets, though with different attack vectors and levels of protection failure. In NuttX environments, the absence of a defined FTP root directory means that attacker-provided paths are directly passed to filesystem system calls without any prefixing or sanitization, creating an immediate and severe attack surface. This design flaw allows for arbitrary file operations including read, write, create, delete, and rename actions on the flight controller's filesystem, fundamentally compromising system integrity and potentially enabling complete system takeover.
The technical implementation of this vulnerability demonstrates multiple layers of security failure that align with common software security weaknesses. The flaw operates as a classic path traversal vulnerability, which maps directly to CWE-22 - "Improper Limiting of a Pathname to a Restricted Directory." The write-path validation function on POSIX targets unconditionally returns true, providing zero protection against malicious file operations, while the TOCTOU (Time-of-Check to Time-of-Use) race condition on NuttX systems further compounds the issue by allowing attackers to bypass the only existing validation mechanism. This race condition occurs when the system checks file access permissions at one point in time and then performs the actual operation at a later point, during which the file system state may have changed, enabling the bypass of intended security controls. The vulnerability's exploitation directly violates the principle of least privilege and demonstrates a failure in input validation and access control implementation. From an operational perspective, this vulnerability enables attackers to perform actions such as reading sensitive system files, writing malicious code to the filesystem, creating backdoor access points, deleting critical system components, or renaming essential files to disrupt system functionality. The lack of authentication requirements makes this particularly dangerous as any MAVLink peer can exploit this vulnerability, potentially including unauthorized devices on the same network or compromised drones that could serve as attack vectors.
The operational impact of CVE-2026-32709 extends far beyond simple filesystem manipulation, presenting serious security implications for drone operations and autonomous systems. Attackers could potentially access sensitive flight parameters, navigation data, or proprietary software components stored on the flight controller, leading to intellectual property theft or operational disruption. The ability to write arbitrary files enables attackers to install malicious payloads that could compromise the drone's operational integrity, potentially causing crashes, redirecting flights, or enabling persistent access to the system. The vulnerability's presence in both embedded NuttX environments and POSIX-based companion computers means that the attack surface spans across different operational contexts, from physical drone hardware to simulation environments. This flaw also represents a significant concern from an ATT&CK framework perspective, particularly mapping to techniques such as T1059 - Command and Scripting Interpreter and T1078 - Valid Accounts, as attackers could leverage the compromised system to execute commands or establish persistent access. The vulnerability's exploitation could lead to cascading security failures, especially in environments where multiple drones operate in coordination, potentially allowing attackers to compromise entire drone swarms or autonomous vehicle fleets. Organizations relying on PX4 autopilot systems for commercial, military, or research applications face significant operational risks, as this vulnerability could enable complete system compromise and unauthorized control of aerial vehicles.
Mitigation strategies for CVE-2026-32709 must address both the immediate vulnerability and broader security posture of PX4-based systems. The primary and most effective mitigation is upgrading to PX4 firmware version 1.17.0-rc2 or later, which implements proper authentication mechanisms and path validation controls. Organizations should also implement network segmentation and access control measures to limit exposure of MAVLink services to trusted networks and devices only, reducing the attack surface for unauthenticated access. Network monitoring should be enhanced to detect unusual MAVLink traffic patterns or unauthorized file system operations that might indicate exploitation attempts. Additional mitigations include implementing proper firewall rules to restrict access to MAVLink ports, using secure communication protocols where available, and conducting regular security audits of flight controller filesystems to detect any unauthorized modifications. The vulnerability highlights the importance of input validation and access control design principles, emphasizing that security by obscurity or lack of authentication should never be sufficient protection for critical systems. System administrators should also implement regular firmware update policies and conduct security assessments of autonomous systems to identify and remediate similar vulnerabilities in other components of the drone ecosystem. From a defense-in-depth perspective, organizations should consider implementing intrusion detection systems specifically designed to monitor for MAVLink protocol anomalies and file system access patterns that could indicate exploitation attempts. The vulnerability serves as a reminder that embedded systems in autonomous vehicles require robust security controls from the ground up, rather than relying on network-level protections or assuming that lack of authentication is acceptable for critical operational systems.