LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-1579

CVE-2026-1579 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 1, 2026

PX4 MAVLink - Authentication Bypass

Published: March 31, 2026Updated: April 1, 2026Remote Exploitable

Overview

PX4 MAVLink communication protocol without MAVLink 2.0 message signing contains an authentication bypass caused by lack of cryptographic authentication, letting unauthenticated attackers send arbitrary messages including SERIAL_CONTROL, exploit requires MAVLink 2.0 message signing to be disabled.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 7.3%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can send arbitrary commands including interactive shell access, potentially leading to full system compromise.

Mitigation

Enable MAVLink 2.0 message signing or update to the latest version with signing enabled.

References

Social Media Activity(3 posts)

BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Apr 1, 2026

Critical Authentication Bypass in PX4 Autopilot Allows Remote Drone Takeover PX4 Autopilot version v1.16.0 is vulnerable to a critical authentication bypass (CVE-2026-1579) that allows unauthenticated attackers to execute arbitrary shell commands via the MAVLink protocol. This flaw enables full system takeover of drones and autonomous vehicles used in defense and transportation. **If you use PX4 Autopilot, you must enable MAVLink 2.0 message signing to prevent unauthorized command execution. Without this cryptographic check, anyone who can reach your drone's communication interface can take full control of the aircraft.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/critical-authentication-bypass-in-px4-autopilot-allows-remote-drone-takeover-h-o-k-m-n/gD2P6Ple2L

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 1, 2026

šŸ”“ CVE-2026-1579 - Critical (9.8) The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-1579/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
Offensive Sequence
Offensive Sequence
@offseq
Apr 1, 2026

šŸšØ CVE-2026-1579 (CRITICAL): PX4 Autopilot v1.16.0 SITL allows unauthenticated MAVLink commands ā€” attackers can gain shell access if message signing is disabled. Enable MAVLink 2.0 signing now! https://radar.offseq.com/threat/cve-2026-1579-cwe-306-in-px4-autopilot-77f763f3 #OffSeq #CVE20261579 #DroneSec #Security

View original post

Related Resources

Details

CVE ID
CVE-2026-1579
Severity
Critical
CVSS Score
9.8
Type
broken_authentication
Status
unconfirmed
EPSS
7.3%
Social Posts
3

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.3%Probability of exploitation in the next 30 days