Cyber Resilience

CVE-2026-26741

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0026 17.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26741 is a high-severity Missing Authorization (CWE-862) vulnerability in Dronecode Px4 Drone Autopilot. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-17 (Fail-safe Procedures).

Deeper analysis

CVE-2026-26741, published on 2026-03-10, is a logic flaw classified under CWE-862 in the mode switching mechanism of PX4 Autopilot versions 1.12.x through 1.15.x. The vulnerability arises when switching from Auto mode to Manual mode while the drone is in the "ARMED" state—specifically after landing and before the automatic disarm triggered by the COM_DISARM_LAND parameter. During this transition, the system lacks a throttle threshold safety check for the physical throttle stick, which can directly cause the drone to lose control, undergo rapid uncontrolled ascent (flyaway), and result in property damage. The issue carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

An adjacent attacker (AV:A) can exploit this vulnerability with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). By timing or inducing a mode switch from Auto to Manual during the narrow post-landing ARMED window, and ensuring the physical throttle stick exceeds safe thresholds, the attacker can trigger the flyaway condition. This results in high integrity (I:H) and availability (A:H) impacts, with no confidentiality consequences (C:N), potentially leading to physical drone loss or damage.

Mitigation details are outlined in the referenced advisory at https://github.com/npuwyw/PX4-Autopilot/blob/audit-v1.12.3-mode-transition-logic-flaw/PX4_Autopilot_Mode_Switching_Logic_Vulnerability.md. Security practitioners using affected PX4 Autopilot versions should consult this resource for recommended patches or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PX4 Autopilot versions 1.12.x through 1.15.x contain a logic flaw in the mode switching mechanism. When switching from Auto mode to Manual mode while the drone is in the "ARMED" state (after landing and before the automatic disarm triggered by…

more

the COM_DISARM_LAND parameter), the system lacks a throttle threshold safety check for the physical throttle stick. This flaw can directly cause the drone to lose control, experience rapid uncontrolled ascent (flyaway), and result in property damage

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26742Same product: Dronecode Px4 Drone Autopilot
CVE-2026-32708Same product: Dronecode Px4 Drone Autopilot
CVE-2024-40427Same product: Dronecode Px4 Drone Autopilot
CVE-2026-32706Same product: Dronecode Px4 Drone Autopilot
CVE-2025-26375Shared CWE-862
CVE-2025-0952Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-69311Shared CWE-862
CVE-2024-12920Shared CWE-862
CVE-2026-3266Shared CWE-862

Affected Assets

dronecode
px4 drone autopilot
1.12.0 — 1.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing throttle threshold safety check by requiring validation of physical throttle stick inputs during critical mode switches to prevent uncontrolled ascent.

prevent

Implements fail-safe procedures for unsafe conditions during ARMED state mode transitions, such as automatic disarm or throttle limits, to avert flyaway incidents.

preventrecover

Requires identification and correction of the specific logic flaw in mode switching via patching, eliminating the vulnerability in affected PX4 versions.

References