Critical Authentication Bypass in PX4 Autopilot Allows Remote Drone Takeover

CISA reports a critical flaw in PX4 Autopilot, a widely used open-source flight control system for drones and autonomous robotics. The flaw allows unauthenticated remote command execution. 

The flaw is tracked as CVE-2026-1579 (CVSS score 9.8)  A missing authentication vulnerability in the MAVLink communication protocol of PX4 Autopilot that allows unauthenticated users to send SERIAL_CONTROL messages. By injecting these messages into the MAVLink interface, an attacker can gain interactive shell access to the system. This allows for arbitrary command execution and complete takeover of the autopilot software.

Successful exploitation of this flaw allows an attacker to bypass all security checks and interact directly with the system shell and change flight parameters, disable safety features, or exfiltrate sensitive data from the onboard computer. 

In sectors like the defense industrial base, a successful attack could result in the loss of high-value assets or the compromise of mission-critical operations. The attack is particularly dangerous because it requires no user interaction and can be carried out by anyone who can reach the MAVLink interface.

The vulnerability is confirmed in PX4 Autopilot version v1.16.0_SITL_latest_stable. Organizations using PX4 for commercial or industrial applications must verify their current configurations. Any deployment that relies on default MAVLink settings without additional security layers is likely at risk of unauthorized takeover.

PX4 strongly recommends enabling MAVLink 2.0 message signing for all communication links that do not use a physical USB connection. This cryptographic authentication ensures that the system only processes messages from verified sources, effectively blocking the injection of malicious commands. Users should consult the PX4 Security Hardening Guide and the Message Signing Documentation for implementation details.