> ESC
↑↓ navigate select esc close
← Achievements

CVE-2026-32709: PX4 Autopilot MAVLink FTP Unauthenticated Path Traversal

📅 2026-03-13 📂 Vulnerability Discovery 2 min read CVSS 5.4
CVEPX4MAVLinkPath TraversalArbitrary File ReadArbitrary File WriteCritical
CVSS
5.4 MEDIUM
👥Estimated Impact: 15,000+ customers
TL;DR:
An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows reading, writing, and deleting arbitrary files on the flight controller.

Summary

An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. This critical flaw stems from a lack of path sanitization, disabled validation on certain platforms, and a TOCTOU race condition.

CVE ID: CVE-2026-32709
Advisory: GHSA-fh32-qxj9-x32f
Affected Versions: PX4 Autopilot ≤ 1.17.0-rc1

Vulnerability Details

The vulnerability exists in multiple interacting components of the MAVLink FTP module.

1. Root Directory Escape

On NuttX targets, the FTP root directory is defined as an empty string. This means attacker-supplied paths are passed directly to filesystem syscalls without any prefix or sanitization for read operations.

2. Lack of Validation on Read Operations

Read-path operations (e.g., _workList, _workOpen for reading) skip the _validatePathIsWritable check entirely, allowing arbitrary file reading from the entire filesystem.

3. Disabled Validation on POSIX

The path validation function _validatePathIsWritable is conditionally compiled and unconditionally returns true on non-NuttX platforms (like Linux companion computers or SITL), providing zero protection.

4. TOCTOU Bypass on NuttX

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists because write validation occurs in _workWrite but not in _workOpen. An attacker can create a file with a malicious path, overwrite the shared path buffer with a "safe" path using a different command, and then proceed with the write.

Proof of Concept

Arbitrary File Read (NuttX)

# Open /proc/version for reading
path = b'/proc/version\x00'
payload = make_payload(seq=1, session=0, opcode=4, size=len(path), offset=0, data=path)
# ... send and then read file contents ...

Arbitrary File Write (POSIX)

# Create file outside root using path traversal
path = b'../../tmp/pwned\x00'
payload = make_payload(seq=0, session=0, opcode=6, size=len(path), offset=0, data=path)
# ... send and then write data ...

Impact

This is a critical vulnerability that grants unauthenticated full access to the flight controller's filesystem.

  • System Takeover: Attackers can overwrite firmware, modify configuration files, or plant malicious scripts.
  • Data Exfiltration: Sensitive information such as mission plans, geofences, flight logs, and cryptographic keys can be read.
  • Physical Safety: Modifying flight parameters or disabling safety checks can lead to loss of vehicle control, crashes, or unauthorized flight in restricted areas.

References