CVE-2026-32713 - Vulnerability Analysis
MediumCVSS: 4.3Last Updated: March 16, 2026
PX4 autopilot - Broken Access Control
Published: March 16, 2026Updated: March 16, 2026PoC Available
Overview
PX4 autopilot < 1.17.0-rc2 contains a broken access control vulnerability caused by incorrect boolean logic in MAVLink FTP session validation, letting unauthenticated attackers bypass session isolation and trigger invalid file operations.
Severity & Score
Severity: Medium
CVSS Score: 4.3
Impact
Unauthenticated attackers can bypass session isolation and cause inconsistent FTP subsystem state, potentially disrupting drone control or data integrity.
Mitigation
Update to version 1.17.0-rc2 or later.
Related Resources
Details
- CVE ID
- CVE-2026-32713
- Severity
- Medium
- CVSS Score
- 4.3
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-670
CVSS Metrics
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L