Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.
Published: 2026-03-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File System Compromise
Action: Immediate Patch
AI Analysis

Impact

PX4 autopilot firmware exposes an unauthenticated path traversal vulnerability in its MAVLink FTP implementation. The flaw allows any MAVLink peer to construct file paths that bypass the intended directory boundaries, enabling the attacker to read, write, create, delete, and rename arbitrary files on the onboard or associated companion‑computer filesystem. This results in full file system compromise, potentially allowing modification of flight parameters, firmware, or injection of malicious code (CWE-22).

Affected Systems

The affected vendor is PX4 under the product PX4‑Autopilot. All builds prior to version 1.17.0‑rc2 are susceptible. This includes the 1.17.0‑alpha1, 1.17.0‑beta1 and 1.17.0‑rc1 releases, and any earlier releases. The vulnerability exists on both NuttX and POSIX targets used by PX4.

Risk and Exploitability

The CVSS base score is 5.4, indicating a medium impact severity. An EPSS score of less than 1 % signifies a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited remotely over any MAVLink channel without authentication; no user interaction on the target is required, and the attacker can execute arbitrary file operations directly from a controlling device.

Generated by OpenCVE AI on March 17, 2026 at 16:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PX4 Autopilot firmware to version 1.17.0‑rc2 or later.
  • Verify that the upgrade has been applied by checking the firmware revision on the flight controller.

Generated by OpenCVE AI on March 17, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Dronecode
Dronecode px4 Drone Autopilot
CPEs cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*
Vendors & Products Dronecode
Dronecode px4 Drone Autopilot

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Px4
Px4 px4-autopilot
Vendors & Products Px4
Px4 px4-autopilot

Fri, 13 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.
Title PX4 Autopilot MAVLink FTP Unauthenticated Path Traversal (Arbitrary File Read/Write/Delete)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Dronecode Px4 Drone Autopilot
Px4 Px4-autopilot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:12:28.877Z

Reserved: 2026-03-13T14:33:42.824Z

Link: CVE-2026-32709

cve-icon Vulnrichment

Updated: 2026-03-17T15:12:23.768Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:42.140

Modified: 2026-03-16T19:03:39.017

Link: CVE-2026-32709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:19Z

Weaknesses