Description
The MAVLink communication protocol does not require cryptographic
authentication by default. When MAVLink 2.0 message signing is not
enabled, any message -- including SERIAL_CONTROL, which provides
interactive shell access -- can be sent by an unauthenticated party with
access to the MAVLink interface. PX4 provides MAVLink 2.0 message
signing as the cryptographic authentication mechanism for all MAVLink
communication. When signing is enabled, unsigned messages are rejected
at the protocol level.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Enable Signing
AI Analysis

Impact

The MAVLink communication protocol does not enforce cryptographic authentication unless MAVLink 2.0 message signing is activated. When signing is disabled, any party that can reach the interface can send unsigned messages, including the SERIAL_CONTROL command which grants a shell on the PX4 autopilot. This allows an attacker to execute arbitrary commands, effectively taking control of the flight controller and compromising the vehicle’s confidentiality, integrity, and availability.

Affected Systems

All installations of PX4 Autopilot, specifically firmware version 1.16.0 as identified by the CPE string, are affected. Users who have not enabled MAVLink 2.0 message signing on any non‑USB communication link are exposed to this risk.

Risk and Exploitability

The CVSS score of 9.3 reflects a severe vulnerability. The low EPSS score (<1%) suggests that widespread exploitation is currently unlikely, and the issue is not listed in the CISA KEV catalog. The most plausible attack vector involves any unauthorized access to the MAVLink interface, such as over wireless telemetry or ground‑station connections, where an attacker can inject the unsigned messages that the autopilot will accept.

Generated by OpenCVE AI on April 7, 2026 at 23:57 UTC.

Remediation

Vendor Solution

PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at  https://docs.px4.io/main/en/mavlink/security_hardening Message signing configuration documentation can be found at  https://docs.px4.io/main/en/mavlink/message_signing

OpenCVE Recommended Actions

  • Enable MAVLink 2.0 message signing on all non‑USB communication links as recommended by PX4.
  • Follow the PX4 security hardening guide for detailed integration steps and configuration.
  • Verify that the autopilot rejects unsigned messages by testing or confirming the signing setting is active.
  • Consider network segmentation or firewall rules to limit access to the MAVLink interface.

Generated by OpenCVE AI on April 7, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Px4 autopilot
CPEs cpe:2.3:a:px4:autopilot:1.16.0:*:*:*:*:*:*:*
Vendors & Products Px4 autopilot

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Px4
Px4 px4-autopilot
Vendors & Products Px4
Px4 px4-autopilot

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.
Title PX4 Autopilot Missing authentication for critical function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Px4 Autopilot Px4-autopilot
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-31T20:36:09.044Z

Reserved: 2026-01-28T22:27:22.970Z

Link: CVE-2026-1579

cve-icon Vulnrichment

Updated: 2026-03-31T20:36:03.968Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:27.897

Modified: 2026-04-07T15:33:30.363

Link: CVE-2026-1579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:05Z

Weaknesses