CVE-2026-1579
published 2026-03-31CVE-2026-1579: The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message --…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.93%
56.0th percentile
The MAVLink communication protocol does not require cryptographic
authentication by default. When MAVLink 2.0 message signing is not
enabled, any message -- including SERIAL_CONTROL, which provides
interactive shell access -- can be sent by an unauthenticated party with
access to the MAVLink interface. PX4 provides MAVLink 2.0 message
signing as the cryptographic authentication mechanism for all MAVLink
communication. When signing is enabled, unsigned messages are rejected
at the protocol level.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| px4 | autopilot | — | — |
| px4 | autopilot | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated MAVLink SERIAL_CONTROL messages (message ID 126) on the MAVLink interface, which provide interactive shell access without cryptographic authentication when MAVLink 2.0 message signing is disabled. ↗
- →Alert on MAVLink traffic where message signing is absent (i.e., MAVLink 2.0 frames lacking the signature field/incompatibility flag bit set), particularly targeting PX4 Autopilot v1.16.0_SITL_latest_stable. ↗
- →Monitor for arbitrary shell command execution originating from the MAVLink interface on PX4 Autopilot systems, which may indicate exploitation of missing authentication via unsigned MAVLink messages. ↗
- ·The vulnerability only exists when MAVLink 2.0 message signing is NOT enabled; systems with signing enforced reject unsigned messages at the protocol level and are not affected. ↗
- ·Only PX4 Autopilot version v1.16.0_SITL_latest_stable is confirmed affected; other versions are not listed as known-affected in the advisory. ↗
- ·No known public exploitation specifically targeting this vulnerability has been reported to CISA at the time of advisory publication. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vcq6-mmfw-5xm3: The MAVLink communication protocol does not require cryptographic
authentication by default
ghsa_unreviewed·2026-03-31
CVE-2026-1579 [CRITICAL] CWE-306 GHSA-vcq6-mmfw-5xm3: The MAVLink communication protocol does not require cryptographic
authentication by default
The MAVLink communication protocol does not require cryptographic
authentication by default. When MAVLink 2.0 message signing is not
enabled, any message -- including SERIAL_CONTROL, which provides
interactive shell access -- can be sent by an unauthenticated party with
access to the MAVLink interface. PX4 provides MAVLink 2.0 message
signing as the cryptographic authentication mechanism for all MAVLink
communication. When signing is enabled, unsigned messages are rejected
at the protocol level.
CISA ICS
PX4 Autopilot
cisa_ics·2026-03-31·CVSS 9.3
[CRITICAL] PX4 Autopilot
ICS Advisory
##
PX4 Autopilot
Release DateMarch 31, 2026
Alert CodeICSA-26-090-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication.
The following versions of PX4 Autopilot are affected:
- Autopilot v1.16.0_SITL_latest_stable (CVE-2026-1579)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| PX4
| PX4 Autopilot
| Missing Authentication for Critical Function
## Background
- Critical Infrastructure Sectors: Transportation Systems, Emergency Services, Defense Industrial Base
- Countries/Areas Deployed: Worldwide
- Company H
No detection rules found.
No public exploits indexed.
2026-03-31
Published