CVE-2026-32709 is a path traversal vulnerability classified under CWE-22 affecting the PX4 Autopilot flight control software for drones, specifically versions prior to 1.17.0-rc2. The vulnerability resides in the MAVLink FTP implementation, which lacks proper validation and sanitization of file paths supplied by MAVLink peers. On NuttX-based targets, the FTP root directory is set to an empty string, meaning that attacker-controlled paths are passed directly to filesystem system calls without any prefix or sanitization, allowing arbitrary file access. On POSIX targets such as Linux companion computers or SITL (Software In The Loop) environments, the function responsible for validating write paths always returns true, effectively disabling any write protections. Additionally, a time-of-check to time-of-use (TOCTOU) race condition in the write validation logic on NuttX targets allows attackers to bypass the minimal existing safeguards. Exploiting this vulnerability requires no authentication or user interaction, and any MAVLink peer can leverage it to read, write, create, delete, or rename arbitrary files on the flight controller's filesystem. This can lead to unauthorized disclosure or modification of sensitive files, potentially compromising flight control integrity and confidentiality. The vulnerability does not directly impact availability but could indirectly cause operational issues if critical files are altered or deleted. The issue was addressed and fixed in PX4 version 1.17.0-rc2 by implementing proper path validation and sanitization. The CVSS v3.1 base score is 5.4, reflecting medium severity due to the ease of exploitation and impact on confidentiality and integrity without affecting availability.

This vulnerability poses a significant risk to organizations deploying PX4 Autopilot-based drones, especially those relying on NuttX or POSIX targets. Attackers can gain unauthorized access to the flight controller filesystem, potentially exposing sensitive configuration files, flight logs, or cryptographic keys. They can also modify or delete files, which may disrupt drone operations, cause erratic behavior, or enable further compromise. This could lead to loss of control over drones, data leakage, or sabotage of drone missions. The lack of authentication means that any MAVLink peer, including potentially malicious nearby actors or compromised ground stations, can exploit this vulnerability. While the vulnerability does not directly cause denial of service, the ability to alter critical files could indirectly degrade system availability or safety. Organizations using PX4 drones in critical infrastructure monitoring, delivery services, or defense applications face heightened risks. The medium CVSS score indicates a moderate but tangible threat that requires timely remediation to prevent exploitation.

To mitigate CVE-2026-32709, organizations should immediately upgrade PX4 Autopilot to version 1.17.0-rc2 or later, where the vulnerability is fixed. Until upgrades are applied, restrict MAVLink access strictly to trusted and authenticated entities by implementing network segmentation and firewall rules that limit MAVLink traffic to authorized ground stations or control systems. Employ secure communication channels such as MAVLink over encrypted links (e.g., MAVLink over TLS or VPN) to prevent unauthorized peers from connecting. Conduct thorough audits of flight controller filesystem permissions and monitor for unusual file operations indicative of exploitation attempts. Implement runtime integrity checks on critical files to detect unauthorized modifications. For deployments on POSIX targets, ensure that companion computers enforce additional access controls and validate MAVLink messages. Finally, incorporate anomaly detection systems that can alert on suspicious MAVLink FTP activity or unexpected filesystem changes. These targeted measures go beyond generic advice by focusing on access control, monitoring, and rapid patch deployment specific to PX4 environments.