Cyber Resilience

CVE-2026-1579

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0093 55.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1579 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Px4 Autopilot. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-1579 affects the MAVLink communication protocol, which does not require cryptographic authentication by default when MAVLink 2.0 message signing is not enabled. This vulnerability, published on 2026-03-31, allows any message—including SERIAL_CONTROL, which provides interactive shell access—to be sent by an unauthenticated party with access to the MAVLink interface. PX4 autopilot software utilizes MAVLink and offers MAVLink 2.0 message signing as its cryptographic authentication mechanism. The issue is classified as CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker requires only network access to the MAVLink interface and no privileges to exploit this vulnerability. By sending unauthenticated MAVLink messages, they can inject arbitrary commands, including those via SERIAL_CONTROL for gaining interactive shell access on affected systems. This enables high-impact compromise of confidentiality, integrity, and availability.

PX4 documentation and CISA ICSA-26-090-02 recommend enabling MAVLink 2.0 message signing to mitigate the vulnerability, as it rejects unsigned messages at the protocol level. Configuration guidance is available at https://docs.px4.io/main/en/mavlink/message_signing and https://docs.px4.io/main/en/mavlink/security_hardening, with full advisory details at https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02 and the associated JSON at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to…

more

the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote attackers with network access to the MAVLink interface to inject arbitrary messages, including SERIAL_CONTROL for interactive shell access, directly enabling exploitation of a public-facing application/service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306
CVE-2025-58083Shared CWE-306
CVE-2025-21515Shared CWE-306

Affected Assets

px4
autopilot
1.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits permitted actions without identification or authentication, directly addressing the lack of default cryptographic authentication in MAVLink that allows unauthenticated command injection including SERIAL_CONTROL.

prevent

Requires cryptographic mechanisms to protect the authenticity of transmitted MAVLink messages, enabling rejection of unsigned messages as recommended for mitigation.

prevent

Mandates secure configuration settings to enable MAVLink 2.0 message signing, countering the default lack of authentication in the protocol.

References