CVE-2026-32709
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in PX4 Autopilot MAVLink FTP Enables Arbitrary File Access

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32709
EUVD
EUVD-2026-12173
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dronecode px4_drone_autopilot to 1.17.0 (exc)
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32709 is an unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation affecting versions prior to 1.17.0-rc2.

This flaw allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without any authentication.

On NuttX targets, the FTP root directory is an empty string, so attacker-supplied file paths are used directly in filesystem calls without any prefix or sanitization, enabling traversal outside intended directories.

On POSIX targets (Linux companion computers, SITL), the write-path validation function always returns true, disabling any write-path protection.

Additionally, a time-of-check-to-time-of-use (TOCTOU) race condition on NuttX allows bypassing the only existing write validation guard.

No authentication is required to exploit this vulnerability, meaning any system with matching or broadcast target IDs can perform these unauthorized file operations.

Impact Analysis

This vulnerability can lead to unauthorized reading of sensitive files such as configuration files, logs, cryptographic keys, and parameters.

Attackers can create or modify arbitrary files, potentially planting malicious scripts, overwriting firmware, or tampering with configuration.

It also allows deletion of files, which can be used to cover tracks or cause system instability.

Exfiltration of mission plans, geofence data, and flight logs is possible.

Physical safety risks include loss of vehicle control, crashes, or bypassing geofences, which can have serious consequences.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring MAVLink FTP traffic for unauthorized or suspicious file operations such as reading, writing, creating, deleting, or renaming files without authentication.

Since the vulnerability allows arbitrary file access via path traversal, commands or scripts that attempt to access files outside the expected FTP root directory (e.g., using paths like ../../) can help detect exploitation attempts.

On NuttX targets, attempts to read sensitive files such as /proc/version via MAVLink FTP commands could indicate exploitation.

On POSIX targets, attempts to write files outside the intended directory (e.g., ../../tmp/pwned) via MAVLink FTP commands can be a sign of exploitation.

Network monitoring tools can be used to capture MAVLink FTP packets and inspect for path traversal patterns or unauthorized file operations.

Specific commands depend on the MAVLink interface and tools available, but generally, capturing MAVLink FTP traffic and analyzing file operation commands for suspicious paths is recommended.

Mitigation Strategies

The immediate mitigation step is to upgrade the PX4 Autopilot software to version 1.17.0-rc2 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict network access to the MAVLink FTP service to trusted systems only, minimizing exposure to untrusted MAVLink peers.

Implement network-level controls such as firewall rules or segmentation to limit access to the MAVLink interface.

Monitor MAVLink FTP traffic for suspicious file operations and unauthorized access attempts.

Consider disabling or restricting MAVLink FTP functionality if it is not required for your operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart