PX4 Autopilot is an open-source flight control software widely used in drone systems. Prior to version 1.17.0-rc2, its MAVLink FTP implementation contains a critical path traversal vulnerability (CWE-22) identified as CVE-2026-32709. This flaw allows an unauthenticated MAVLink peer to bypass directory restrictions and perform arbitrary file system operations on the flight controller. Specifically, on NuttX-based targets, the FTP root directory is set as an empty string, meaning that attacker-supplied file paths are passed directly to system calls without any prefix or sanitization, enabling unrestricted file access. On POSIX targets such as Linux companion computers or SITL (Software In The Loop) simulations, the write-path validation function always returns true, effectively disabling any protection against unauthorized file writes. Additionally, a Time-Of-Check to Time-Of-Use (TOCTOU) race condition in the write validation on NuttX targets allows attackers to bypass the only existing guard mechanism. This combination of issues means that an attacker can remotely read, write, create, delete, or rename arbitrary files on the flight controller filesystem without any authentication or user interaction. The vulnerability impacts confidentiality and integrity but does not directly affect availability. The vulnerability was publicly disclosed and fixed in PX4 Autopilot version 1.17.0-rc2. No known exploits in the wild have been reported to date. The CVSS 3.1 base score is 5.4, reflecting medium severity due to network attack vector, no privileges required, and no user interaction needed, but limited impact on availability and scope.

The vulnerability allows attackers to gain unauthorized access to the flight controller's filesystem, potentially exposing sensitive configuration files, flight logs, or cryptographic keys, thereby compromising confidentiality. Attackers can also modify or delete critical files, undermining the integrity of the autopilot software and potentially causing erratic or unsafe drone behavior. This could lead to loss of control, mission failure, or safety hazards, especially in commercial, industrial, or governmental drone operations. Although availability is not directly impacted, the integrity compromise could indirectly cause operational disruptions. The lack of authentication and remote exploitability significantly increases the risk, as any MAVLink peer can exploit the flaw without user interaction. Organizations relying on PX4 for drone control, including manufacturers, service providers, and research institutions, face risks of data theft, operational sabotage, and regulatory non-compliance if unpatched systems are exploited.

The primary mitigation is to upgrade PX4 Autopilot to version 1.17.0-rc2 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should restrict network access to MAVLink interfaces, ensuring only trusted and authenticated peers can connect. Implement network segmentation and firewall rules to isolate flight controllers and companion computers from untrusted networks. Monitor MAVLink traffic for anomalous FTP commands or unusual file operations. Employ runtime integrity checks on critical files and configurations to detect unauthorized modifications. For deployments on NuttX targets, consider disabling MAVLink FTP functionality if not required. Additionally, drone operators should enforce strict operational security policies, including limiting physical and network access to drone control systems. Vendors should review and harden path validation logic and eliminate TOCTOU race conditions in their codebase to prevent similar vulnerabilities.