CVE-2026-26741
Published: 10 March 2026
Summary
CVE-2026-26741 is a high-severity Missing Authorization (CWE-862) vulnerability in Dronecode Px4 Drone Autopilot. Its CVSS base score is 8.1 (High).
Operationally, ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-17 (Fail-safe Procedures).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing throttle threshold safety check by requiring validation of physical throttle stick inputs during critical mode switches to prevent uncontrolled ascent.
Implements fail-safe procedures for unsafe conditions during ARMED state mode transitions, such as automatic disarm or throttle limits, to avert flyaway incidents.
Requires identification and correction of the specific logic flaw in mode switching via patching, eliminating the vulnerability in affected PX4 versions.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
PX4 Autopilot versions 1.12.x through 1.15.x contain a logic flaw in the mode switching mechanism. When switching from Auto mode to Manual mode while the drone is in the "ARMED" state (after landing and before the automatic disarm triggered by…
more
the COM_DISARM_LAND parameter), the system lacks a throttle threshold safety check for the physical throttle stick. This flaw can directly cause the drone to lose control, experience rapid uncontrolled ascent (flyaway), and result in property damage
Deeper analysisAI
CVE-2026-26741, published on 2026-03-10, is a logic flaw classified under CWE-862 in the mode switching mechanism of PX4 Autopilot versions 1.12.x through 1.15.x. The vulnerability arises when switching from Auto mode to Manual mode while the drone is in the "ARMED" state—specifically after landing and before the automatic disarm triggered by the COM_DISARM_LAND parameter. During this transition, the system lacks a throttle threshold safety check for the physical throttle stick, which can directly cause the drone to lose control, undergo rapid uncontrolled ascent (flyaway), and result in property damage. The issue carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
An adjacent attacker (AV:A) can exploit this vulnerability with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). By timing or inducing a mode switch from Auto to Manual during the narrow post-landing ARMED window, and ensuring the physical throttle stick exceeds safe thresholds, the attacker can trigger the flyaway condition. This results in high integrity (I:H) and availability (A:H) impacts, with no confidentiality consequences (C:N), potentially leading to physical drone loss or damage.
Mitigation details are outlined in the referenced advisory at https://github.com/npuwyw/PX4-Autopilot/blob/audit-v1.12.3-mode-transition-logic-flaw/PX4_Autopilot_Mode_Switching_Logic_Vulnerability.md. Security practitioners using affected PX4 Autopilot versions should consult this resource for recommended patches or workarounds.
Details
- CWE(s)