CVE-2026-1579 (GCVE-0-2026-1579)

Vulnerability from cvelistv5 – Published: 2026-03-31 20:20 – Updated: 2026-03-31 20:36
VLAI?
Title
PX4 Autopilot Missing authentication for critical function
Summary
The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
PX4 Autopilot Affected: v1.16.0 SITL
Create a notification for this product.
Credits
Dolev Aviv of Cyviation reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1579",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T20:35:56.040324Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T20:36:09.044Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Autopilot",
          "vendor": "PX4",
          "versions": [
            {
              "status": "affected",
              "version": "v1.16.0 SITL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dolev Aviv of Cyviation reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The MAVLink communication protocol does not require cryptographic \nauthentication by default. When MAVLink 2.0 message signing is not \nenabled, any message -- including SERIAL_CONTROL, which provides \ninteractive shell access -- can be sent by an unauthenticated party with\n access to the MAVLink interface. PX4 provides MAVLink 2.0 message \nsigning as the cryptographic authentication mechanism for all MAVLink \ncommunication. When signing is enabled, unsigned messages are rejected \nat the protocol level."
            }
          ],
          "value": "The MAVLink communication protocol does not require cryptographic \nauthentication by default. When MAVLink 2.0 message signing is not \nenabled, any message -- including SERIAL_CONTROL, which provides \ninteractive shell access -- can be sent by an unauthenticated party with\n access to the MAVLink interface. PX4 provides MAVLink 2.0 message \nsigning as the cryptographic authentication mechanism for all MAVLink \ncommunication. When signing is enabled, unsigned messages are rejected \nat the protocol level."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T20:20:06.506Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://docs.px4.io/main/en/mavlink/security_hardening"
        },
        {
          "url": "https://docs.px4.io/main/en/mavlink/message_signing"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePX4 recommends enabling MAVLink 2.0 message signing as the \nauthentication mechanism for all non\u2011USB communication links. PX4 has \npublished a security hardening guide for integrators and manufacturers \nat\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://docs.px4.io/main/en/mavlink/security_hardening\" title=\"(opens in a new window)\"\u003ehttps://docs.px4.io/main/en/mavlink/security_hardening\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003eMessage signing configuration documentation can be found at\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://docs.px4.io/main/en/mavlink/message_signing\" title=\"(opens in a new window)\"\u003ehttps://docs.px4.io/main/en/mavlink/message_signing\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "PX4 recommends enabling MAVLink 2.0 message signing as the \nauthentication mechanism for all non\u2011USB communication links. PX4 has \npublished a security hardening guide for integrators and manufacturers \nat\u00a0\n https://docs.px4.io/main/en/mavlink/security_hardening \n\n\nMessage signing configuration documentation can be found at\u00a0\n https://docs.px4.io/main/en/mavlink/message_signing"
        }
      ],
      "source": {
        "advisory": "ICSA-26-090-02",
        "discovery": "EXTERNAL"
      },
      "title": "PX4 Autopilot Missing authentication for critical function",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-1579",
    "datePublished": "2026-03-31T20:20:06.506Z",
    "dateReserved": "2026-01-28T22:27:22.970Z",
    "dateUpdated": "2026-03-31T20:36:09.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-1579\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2026-03-31T21:16:27.897\",\"lastModified\":\"2026-04-01T14:23:37.727\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MAVLink communication protocol does not require cryptographic \\nauthentication by default. When MAVLink 2.0 message signing is not \\nenabled, any message -- including SERIAL_CONTROL, which provides \\ninteractive shell access -- can be sent by an unauthenticated party with\\n access to the MAVLink interface. PX4 provides MAVLink 2.0 message \\nsigning as the cryptographic authentication mechanism for all MAVLink \\ncommunication. When signing is enabled, unsigned messages are rejected \\nat the protocol level.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://docs.px4.io/main/en/mavlink/message_signing\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://docs.px4.io/main/en/mavlink/security_hardening\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1579\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T20:35:56.040324Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T20:36:03.968Z\"}}], \"cna\": {\"title\": \"PX4 Autopilot Missing authentication for critical function\", \"source\": {\"advisory\": \"ICSA-26-090-02\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Dolev Aviv of Cyviation reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"PX4\", \"product\": \"Autopilot\", \"versions\": [{\"status\": \"affected\", \"version\": \"v1.16.0 SITL\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"PX4 recommends enabling MAVLink 2.0 message signing as the \\nauthentication mechanism for all non\\u2011USB communication links. PX4 has \\npublished a security hardening guide for integrators and manufacturers \\nat\\u00a0\\n https://docs.px4.io/main/en/mavlink/security_hardening \\n\\n\\nMessage signing configuration documentation can be found at\\u00a0\\n https://docs.px4.io/main/en/mavlink/message_signing\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003ePX4 recommends enabling MAVLink 2.0 message signing as the \\nauthentication mechanism for all non\\u2011USB communication links. PX4 has \\npublished a security hardening guide for integrators and manufacturers \\nat\u0026nbsp;\u003cbr\u003e\u003ca href=\\\"https://docs.px4.io/main/en/mavlink/security_hardening\\\" title=\\\"(opens in a new window)\\\"\u003ehttps://docs.px4.io/main/en/mavlink/security_hardening\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003eMessage signing configuration documentation can be found at\u0026nbsp;\u003cbr\u003e\u003ca href=\\\"https://docs.px4.io/main/en/mavlink/message_signing\\\" title=\\\"(opens in a new window)\\\"\u003ehttps://docs.px4.io/main/en/mavlink/message_signing\u003c/a\u003e\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://docs.px4.io/main/en/mavlink/security_hardening\"}, {\"url\": \"https://docs.px4.io/main/en/mavlink/message_signing\"}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The MAVLink communication protocol does not require cryptographic \\nauthentication by default. When MAVLink 2.0 message signing is not \\nenabled, any message -- including SERIAL_CONTROL, which provides \\ninteractive shell access -- can be sent by an unauthenticated party with\\n access to the MAVLink interface. PX4 provides MAVLink 2.0 message \\nsigning as the cryptographic authentication mechanism for all MAVLink \\ncommunication. When signing is enabled, unsigned messages are rejected \\nat the protocol level.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The MAVLink communication protocol does not require cryptographic \\nauthentication by default. When MAVLink 2.0 message signing is not \\nenabled, any message -- including SERIAL_CONTROL, which provides \\ninteractive shell access -- can be sent by an unauthenticated party with\\n access to the MAVLink interface. PX4 provides MAVLink 2.0 message \\nsigning as the cryptographic authentication mechanism for all MAVLink \\ncommunication. When signing is enabled, unsigned messages are rejected \\nat the protocol level.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-03-31T20:20:06.506Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-1579\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-31T20:36:09.044Z\", \"dateReserved\": \"2026-01-28T22:27:22.970Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-03-31T20:20:06.506Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.