CVE-2026-32709

MEDIUM 5.4

PX4 Autopilot MAVLink FTP Unauthenticated Path Traversal (Arbitrary File Read/Write/Delete)

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.

CWE	CWE-22
Vendor	px4
Product	px4-autopilot
Published	Mar 13, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for px4 px4-autopilot

Be the first to know when new medium vulnerabilities affecting px4 px4-autopilot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

PX4 / PX4-Autopilot

< 1.17.0-rc2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-fh32-qxj9-x32f