cbcvebase.
CVE-2026-1579
published 2026-03-31

CVE-2026-1579: The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message --…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.93%
56.0th percentile
The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

Affected

2 ranges
VendorProductVersion rangeFixed in
px4autopilot
px4autopilot

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated MAVLink SERIAL_CONTROL messages (message ID 126) on the MAVLink interface, which provide interactive shell access without cryptographic authentication when MAVLink 2.0 message signing is disabled.
  • Alert on MAVLink traffic where message signing is absent (i.e., MAVLink 2.0 frames lacking the signature field/incompatibility flag bit set), particularly targeting PX4 Autopilot v1.16.0_SITL_latest_stable.
  • Monitor for arbitrary shell command execution originating from the MAVLink interface on PX4 Autopilot systems, which may indicate exploitation of missing authentication via unsigned MAVLink messages.
  • ·The vulnerability only exists when MAVLink 2.0 message signing is NOT enabled; systems with signing enforced reject unsigned messages at the protocol level and are not affected.
  • ·Only PX4 Autopilot version v1.16.0_SITL_latest_stable is confirmed affected; other versions are not listed as known-affected in the advisory.
  • ·No known public exploitation specifically targeting this vulnerability has been reported to CISA at the time of advisory publication.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.