CVE-2026-32709
- Source
- https://cve.org/CVERecord?id=CVE-2026-32709
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32709.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32709
- Aliases
-
- GHSA-fh32-qxj9-x32f
- Published
- 2026-03-13T21:19:33.528Z
- Modified
- 2026-04-12T20:14:04.070700Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- PX4 Autopilot MAVLink FTP Unauthenticated Path Traversal (Arbitrary File Read/Write/Delete)
- Details
-
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.
- Database specific
{ "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32709.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/px4/px4-autopilot
Affected ranges
- Type
- GIT
- Repo
- https://github.com/px4/px4-autopilot
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.0beta2
v1.0.0rc10
v1.0.0rc12
v1.0.0rc7
v1.0.0rc8
v1.0.0rc9
v1.1.0beta1
v1.1.0beta3
v1.1.1
v1.1.2
v1.1.3
v1.10.0-beta1
v1.10.0-beta2
v1.10.0-beta3
v1.10.0-beta4
v1.11.0-beta1
v1.11.0-beta2
v1.11.0-rc1
v1.11.0-rc2
v1.11.0-rc3
v1.12.0
v1.12.0-beta2
v1.12.0-beta3
v1.12.0-beta4
v1.12.0-beta5
v1.12.0-beta6
v1.12.0-rc1
v1.13.0-alpha1
v1.13.0-beta1
v1.14.0-beta1
v1.14.0-beta2
v1.15.0-alpha1
v1.15.0-beta1
v1.16.0-alpha1
v1.16.0-alpha2
v1.16.0-beta1
v1.16.0-rc1
v1.17.0-alpha1
v1.17.0-beta1
v1.17.0-rc1
v1.3.0rc1
v1.3.0rc2
v1.3.0rc3
v1.3.2
v1.4.0rc1
v1.4.0rc2
v1.4.0rc3
v1.4.0rc4
v1.4.1
v1.4.1rc1
v1.4.1rc2
v1.4.1rc3
v1.4.1rc4
v1.4.2
v1.4.3
v1.4.4rc1
v1.5.0
v1.5.1
v1.5.1rc2
v1.5.1rc3
v1.5.1rc4
v1.5.2
v1.6.0-rc2
v1.6.0-rc3
v1.6.0-rc4
v1.6.0rc1
v1.6.2
v1.6.4
v1.6.5
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.0-rc3
v1.7.0-rc4
v1.7.1
v1.7.2
v1.7.3
v1.7.3beta
v1.7.4beta
v1.8.0
v1.8.0-beta1
v1.8.0-beta2
v1.8.0-rc0
v1.9.0
v1.9.0-alpha
v1.9.0-beta1
v1.9.0-beta2
v1.9.0-beta3
v1.9.0-rc0
v1.9.0-rc1
v1.9.0-rc2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32709.json"
vanir_signatures_modified
"2026-04-12T20:14:04Z"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"67693136990830957487318119173900356909",
"66619955044416162627791375628789032959",
"82079087948384373130544456721427948334",
"19564699393231592692988065433606806311",
"39839865920697555104405496522726657399",
"65807866290241928387326196575495664293",
"7303528363826701270978354797955542450"
]
},
"source": "https://github.com/px4/px4-autopilot/commit/0b6e4687defb353a34201951809efd3f0040a9ba",
"id": "CVE-2026-32709-8741f513",
"signature_type": "Line",
"target": {
"file": "src/modules/mavlink/mavlink_ftp.h"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"273953935082956037420025022101044574717",
"110601522846328491563493342664872427862",
"34306035577689530466562211034699807319",
"49578622599169832155167781920557990289"
]
},
"source": "https://github.com/px4/px4-autopilot/commit/0b6e4687defb353a34201951809efd3f0040a9ba",
"id": "CVE-2026-32709-9203388c",
"signature_type": "Line",
"target": {
"file": "src/modules/mavlink/mavlink_ftp.cpp"
}
}
]