CVE-2026-32709 Overview
CVE-2026-32709 is a path traversal vulnerability affecting PX4 Autopilot, a widely-used open-source flight control solution for drones. The vulnerability exists in the MAVLink FTP implementation and allows any unauthenticated MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without requiring authentication.
This firmware-level vulnerability affects both NuttX targets (common on flight controllers) and POSIX targets (Linux companion computers, Software-In-The-Loop simulation environments). The flaw stems from insufficient path validation and a Time-of-Check Time-of-Use (TOCTOU) race condition that can be exploited to bypass existing security guards.
Critical Impact
Attackers within adjacent network range can exploit this vulnerability to achieve complete filesystem access on affected drone flight controllers, potentially compromising flight safety, data integrity, and system confidentiality.
Affected Products
- Dronecode PX4 Drone Autopilot versions prior to 1.17.0-rc2
- Dronecode PX4 Drone Autopilot version 1.17.0-alpha1
- Dronecode PX4 Drone Autopilot version 1.17.0-beta1
- Dronecode PX4 Drone Autopilot version 1.17.0-rc1
Discovery Timeline
- 2026-03-16 - CVE-2026-32709 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-32709
Vulnerability Analysis
The vulnerability resides in the MAVLink FTP server implementation within PX4 Autopilot. MAVLink FTP is a file transfer protocol used for communication between ground control stations and flight controllers, enabling operations such as parameter file uploads, log downloads, and firmware updates.
The core issue is a path traversal vulnerability (CWE-22) that allows attackers to escape the intended FTP root directory and access arbitrary locations on the flight controller's filesystem. The vulnerability impacts both confidentiality and integrity, as attackers can read sensitive configuration data and write malicious files to the system.
On NuttX-based flight controllers, the FTP root directory is configured as an empty string, which means attacker-supplied paths containing directory traversal sequences (such as ../) are passed directly to filesystem syscalls without any prefix or sanitization for read operations. This effectively grants unrestricted filesystem access.
On POSIX targets, including Linux companion computers and SITL (Software-In-The-Loop) simulation environments, the write-path validation function unconditionally returns true, providing no protection whatsoever against malicious path inputs.
Root Cause
The root cause is twofold: missing input validation and improper implementation of security controls. On NuttX targets, the FTP implementation fails to sanitize file paths for read operations, allowing directory traversal. On POSIX targets, the validation function responsible for checking write paths is implemented incorrectly, always returning a success value regardless of the path provided.
Additionally, a Time-of-Check Time-of-Use (TOCTOU) race condition exists in the NuttX write validation logic, which allows attackers to bypass the only existing security guard by exploiting the timing window between the path validation check and the actual file operation.
Attack Vector
The attack vector is adjacent network-based, meaning an attacker must be within MAVLink communication range of the target drone. This could include:
- Direct radio link connection to the flight controller
- Connection through a companion computer on the same network
- Access to a ground control station network
- Exploitation during SITL testing environments
An attacker sends crafted MAVLink FTP requests containing path traversal sequences. Since no authentication is required for MAVLink FTP operations, any system capable of communicating via MAVLink can exploit this vulnerability.
The attack involves sending FTP requests with paths like /../../../etc/config to read sensitive files or write malicious configuration data. On POSIX targets, write operations to any location succeed due to the always-true validation function. On NuttX targets, the TOCTOU race condition can be exploited to bypass write restrictions.
Detection Methods for CVE-2026-32709
Indicators of Compromise
- Unusual MAVLink FTP traffic patterns, particularly requests containing ../ path traversal sequences
- Unexpected file modifications in system directories on the flight controller
- Anomalous read requests for files outside the normal FTP root directory
- Modified configuration files or parameter files without authorized changes
- Unexpected files appearing in system directories
Detection Strategies
- Monitor MAVLink traffic logs for FTP operations containing path traversal patterns
- Implement file integrity monitoring on critical flight controller configuration files
- Review MAVLink communication logs for unauthorized FTP sessions
- Deploy network monitoring to detect anomalous adjacent network connections to flight controllers
Monitoring Recommendations
- Enable verbose logging for MAVLink FTP operations where available
- Implement alerts for file system changes in protected directories
- Monitor for new or unexpected MAVLink peers establishing FTP sessions
- Conduct regular audits of flight controller filesystem contents for unauthorized modifications
How to Mitigate CVE-2026-32709
Immediate Actions Required
- Upgrade to PX4 Autopilot version 1.17.0-rc2 or later immediately
- Restrict physical and network access to flight controllers until patching is complete
- Review MAVLink communication channels and limit peer access where possible
- Audit flight controller filesystems for signs of unauthorized access or modifications
Patch Information
The vulnerability is fixed in PX4 Autopilot version 1.17.0-rc2. The patch addresses path traversal vulnerabilities in the MAVLink FTP implementation by implementing proper path sanitization and fixing the write validation function on POSIX targets.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-fh32-qxj9-x32f.
Workarounds
- Limit MAVLink communication to trusted peers only through network segmentation
- Disable MAVLink FTP functionality if not required for operations
- Implement additional network-level access controls to restrict adjacent network access
- Use encrypted and authenticated communication channels where supported
# Verify PX4 Autopilot version after upgrade
# Check that version is 1.17.0-rc2 or later
px4_fmu-v5_default showversion
# Review MAVLink configuration for FTP settings
# Consult PX4 documentation for disabling FTP if not needed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
