CVE-2026-32713
- Source
- https://cve.org/CVERecord?id=CVE-2026-32713
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32713.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32713
- Aliases
-
- GHSA-pp2c-jr5g-6f2m
- Published
- 2026-03-13T21:20:09.352Z
- Modified
- 2026-04-12T20:14:04.919811Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors
- Details
-
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32713.json", "cwe_ids": [ "CWE-670" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/px4/px4-autopilot
Affected ranges
- Type
- GIT
- Repo
- https://github.com/px4/px4-autopilot
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.0beta2
v1.0.0rc10
v1.0.0rc12
v1.0.0rc7
v1.0.0rc8
v1.0.0rc9
v1.1.0beta1
v1.1.0beta3
v1.1.1
v1.1.2
v1.1.3
v1.10.0-beta1
v1.10.0-beta2
v1.10.0-beta3
v1.10.0-beta4
v1.11.0-beta1
v1.11.0-beta2
v1.11.0-rc1
v1.11.0-rc2
v1.11.0-rc3
v1.12.0
v1.12.0-beta2
v1.12.0-beta3
v1.12.0-beta4
v1.12.0-beta5
v1.12.0-beta6
v1.12.0-rc1
v1.13.0-alpha1
v1.13.0-beta1
v1.14.0-beta1
v1.14.0-beta2
v1.15.0-alpha1
v1.15.0-beta1
v1.16.0-alpha1
v1.16.0-alpha2
v1.16.0-beta1
v1.16.0-rc1
v1.17.0-alpha1
v1.17.0-beta1
v1.17.0-rc1
v1.3.0rc1
v1.3.0rc2
v1.3.0rc3
v1.3.2
v1.4.0rc1
v1.4.0rc2
v1.4.0rc3
v1.4.0rc4
v1.4.1
v1.4.1rc1
v1.4.1rc2
v1.4.1rc3
v1.4.1rc4
v1.4.2
v1.4.3
v1.4.4rc1
v1.5.0
v1.5.1
v1.5.1rc2
v1.5.1rc3
v1.5.1rc4
v1.5.2
v1.6.0-rc2
v1.6.0-rc3
v1.6.0-rc4
v1.6.0rc1
v1.6.2
v1.6.4
v1.6.5
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.0-rc3
v1.7.0-rc4
v1.7.1
v1.7.2
v1.7.3
v1.7.3beta
v1.7.4beta
v1.8.0
v1.8.0-beta1
v1.8.0-beta2
v1.8.0-rc0
v1.9.0
v1.9.0-alpha
v1.9.0-beta1
v1.9.0-beta2
v1.9.0-beta3
v1.9.0-rc0
v1.9.0-rc1
v1.9.0-rc2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32713.json"
vanir_signatures_modified
"2026-04-12T20:14:04Z"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"67693136990830957487318119173900356909",
"66619955044416162627791375628789032959",
"82079087948384373130544456721427948334",
"19564699393231592692988065433606806311",
"39839865920697555104405496522726657399",
"65807866290241928387326196575495664293",
"7303528363826701270978354797955542450"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2026-32713-8741f513",
"signature_version": "v1",
"source": "https://github.com/px4/px4-autopilot/commit/0b6e4687defb353a34201951809efd3f0040a9ba",
"target": {
"file": "src/modules/mavlink/mavlink_ftp.h"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"273953935082956037420025022101044574717",
"110601522846328491563493342664872427862",
"34306035577689530466562211034699807319",
"49578622599169832155167781920557990289"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2026-32713-9203388c",
"signature_version": "v1",
"source": "https://github.com/px4/px4-autopilot/commit/0b6e4687defb353a34201951809efd3f0040a9ba",
"target": {
"file": "src/modules/mavlink/mavlink_ftp.cpp"
}
}
]