CVE-2026-32709

Name of the Vulnerable Software and Affected Versions PX4 autopilot versions prior to 1.17.0-rc2

Description PX4 autopilot is a flight control solution for drones. A path traversal issue exists in the PX4 Autopilot MAVLink FTP implementation that allows any MAVLink peer to perform unauthorized file operations – including reading, writing, creating, deleting, and renaming – on the flight controller filesystem without authentication. On NuttX systems, the FTP root directory is empty, leading to direct passing of attacker-supplied paths to filesystem calls without any sanitization during read operations. On POSIX systems, the write-path validation function does not provide any protection. A time-of-check to time-of-use (TOCTOU) race condition in the write validation on NuttX systems further bypasses existing security measures.

Recommendations Versions prior to 1.17.0-rc2 should be updated to version 1.17.0-rc2 or later.