CVE-2026-32713 is a vulnerability identified in the PX4-Autopilot flight control software for drones, affecting versions prior to 1.17.0-rc2. The root cause is a logic error in the MAVLink FTP session validation code, where the use of a logical AND (&&) operator instead of a logical OR (||) leads to incorrect session validation. This flaw allows BurstReadFile and WriteFile operations to proceed even when sessions are invalid or file descriptors are closed. Consequently, an unauthenticated attacker can bypass session isolation checks, triggering operations on invalid file descriptors and putting the FTP subsystem into an inconsistent state. The vulnerability does not compromise confidentiality or integrity but can degrade availability by causing unexpected behavior or crashes in the FTP subsystem. Exploitation requires no authentication or user interaction, increasing the risk of remote attacks. The issue is classified under CWE-670 (Always-Incorrect Control Flow Implementation), highlighting the improper control flow logic as the root cause. The vulnerability was publicly disclosed on March 13, 2026, with a CVSS v3.1 base score of 4.3 (medium severity), reflecting its limited impact and ease of exploitation. The PX4 project addressed this vulnerability in version 1.17.0-rc2 by correcting the boolean logic in session validation. No known exploits have been reported in the wild, but the flaw poses a risk to drone operations relying on vulnerable PX4 versions.

The primary impact of CVE-2026-32713 is on the availability and reliability of the PX4-Autopilot's FTP subsystem. By allowing unauthenticated attackers to bypass session validation, the vulnerability can cause the FTP service to enter an inconsistent state, potentially leading to crashes or denial of service conditions. This can disrupt drone operations that depend on PX4 for flight control and file transfer, affecting mission-critical tasks such as firmware updates, data logging, or configuration management. Although the vulnerability does not directly expose sensitive data or allow code execution, the loss of availability can have operational consequences, especially in commercial, industrial, or defense drone deployments. Organizations operating fleets of drones with PX4 versions prior to 1.17.0-rc2 may face increased risk of service interruptions or degraded performance. The lack of authentication requirements and user interaction lowers the barrier for exploitation, making remote attacks feasible. However, the scope is limited to the FTP subsystem and does not compromise the overall flight control system's integrity or confidentiality.

To mitigate CVE-2026-32713, organizations should promptly upgrade PX4-Autopilot installations to version 1.17.0-rc2 or later, where the logic error in MAVLink FTP session validation is corrected. For environments where immediate patching is not feasible, consider disabling the MAVLink FTP service if it is not essential to drone operations, thereby eliminating the attack surface. Implement network-level controls such as firewall rules or segmentation to restrict access to the MAVLink FTP port, limiting exposure to untrusted networks. Monitoring and logging MAVLink FTP session activity can help detect anomalous or unauthorized operations indicative of exploitation attempts. Additionally, review and harden drone operational procedures to minimize reliance on FTP file transfers during critical missions. Vendors and integrators should verify that their PX4-based systems incorporate the patched version and communicate the importance of updates to end users. Finally, maintain awareness of PX4 security advisories and subscribe to relevant threat intelligence feeds for emerging exploit information.