Description
DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable.
Published: 2026-06-17
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in DroneAware's centralized server allows an attacker to pre‑register an account using a victim's email address with an attacker‑controlled password before the victim activates the account. When the legitimate user later activates their account by clicking the email verification link or logging in via Google SSO, the attacker’s password continues to be valid, resulting in silent and persistent account takeover without any notification to the victim. This flaw is identified as CWE‑287 (Improper Authentication) and CWE‑302 (Improper Validation of Authentication Errors).

Affected Systems

The affected system is the DroneAware server that backs the droneaware.io service, specifically the fduflyer:DroneAware-Node-Releases product. Node binaries and self-hosted detection nodes are not affected, and the server‑side patch was released on 2025‑05‑20. The vulnerability is limited to the server component; any installations that have applied the patch are no longer affected.

Risk and Exploitability

The CVSS score is 6.8, indicating a medium severity. The EPSS score is less than 1%, suggesting a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely remote, requiring only the ability to register an account with the target’s email address, a common action in most deployment scenarios. Once the victim activates their account, the attacker retains full access, with no detection or mitigation on the client side, meaning the exploit can remain undetected for an extended period.

Generated by OpenCVE AI on June 18, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patched server version released on 2025‑05‑20 to eliminate the flaw.
  • Review account creation and activation logs for accounts created prior to the patch to identify any unauthorized registrations.
  • Enable two‑factor authentication for all user accounts to add an additional layer of protection against future capture of credentials.

Generated by OpenCVE AI on June 18, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Fduflyer
Fduflyer droneaware-node-releases
Vendors & Products Fduflyer
Fduflyer droneaware-node-releases

Fri, 19 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable.
Title DroneAware's Improper Account Activation in Registration and SSO Flows Leads to Account Takeover
Weaknesses CWE-287
CWE-302
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Fduflyer Droneaware-node-releases
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T15:41:14.311Z

Reserved: 2026-05-20T18:46:58.290Z

Link: CVE-2026-48117

cve-icon Vulnrichment

Updated: 2026-06-17T15:40:43.525Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:27Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-302

    Authentication Bypass by Assumed-Immutable Data