CVE-2026-32713
PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
| CWE | CWE-670 |
| Vendor | px4 |
| Product | px4-autopilot |
| Published | Mar 13, 2026 |
| Last Updated | Mar 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for px4 px4-autopilot
Be the first to know when new medium vulnerabilities affecting px4 px4-autopilot are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
PX4 / PX4-Autopilot
< 1.17.0-rc2