CVE-2026-1579 CRITICAL

CVE-2026-1579: PX4 Autopilot Missing authentication for critical function

Vendor Px4
Product Autopilot
Weakness CWE-306 · Missing auth
Published March 31, 2026
Last update March 31, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated