CVE-2026-48117
Deferred Deferred - Pending Action
Account Pre-Hijacking in DroneAware Platform

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48117
EUVD
EUVD-2026-37716
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to silently and persistently take over user accounts without the victim's knowledge, enabling unauthorized access to personal or sensitive data.

Such unauthorized access could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

The issue stems from improper authentication mechanisms, which may undermine compliance with standards mandating strong access controls and user authentication.

The vulnerability was fixed server-side with no user action required, which helps restore compliance by preventing account takeover attacks.

Executive Summary

The CVE-2026-48117 vulnerability affects the DroneAware drone detection platform's centralized server. An attacker can exploit an account pre-hijacking flaw by registering an account using a victim's email address with a password controlled by the attacker before the victim activates their account.

When the legitimate user later activates their accountβ€”either by clicking the email verification link or logging in via Google Single Sign-On (SSO)β€”the attacker-set password remains valid. This allows the attacker to silently and persistently take over the victim's account without any notification to the victim.

The vulnerability arises because the system enables all authentication methods during account activation, including the attacker-set password, which should have been invalidated.

Impact Analysis

This vulnerability allows attackers to gain unauthorized, silent, and persistent access to user accounts on the DroneAware platform if they know or can guess the victim's email address.

Attackers can access personal or sensitive data associated with the victim's account without the victim's knowledge, potentially leading to privacy breaches or misuse of information.

Detection Guidance

This vulnerability is related to account pre-hijacking on the centralized DroneAware server and involves attacker-controlled password registration before victim account activation.

Since the issue is server-side and involves authentication logic during account activation, there are no specific network or system commands provided to detect this vulnerability.

Detection would require monitoring for suspicious account registrations using known or guessed victim email addresses or unusual authentication events, but no explicit detection commands are available.

Mitigation Strategies

The vulnerability was fixed server-side on 2025-05-20, and no user or client-side action is required.

There are no workarounds or client-side mitigations applicable because the fix involves clearing attacker-controlled passwords during Google SSO activation and reducing email verification token lifetime.

Immediate steps include ensuring your DroneAware server is updated with the latest server-side patch deployed on May 20, 2026.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart