Critical severity9.8NVD Advisory· Published Mar 31, 2026· Updated Apr 7, 2026

CVE-2026-1579

Description

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.jsonnvdThird Party Advisory
www.cisa.gov/news-events/ics-advisories/icsa-26-090-02nvdThird Party AdvisoryUS Government Resource
docs.px4.io/main/en/mavlink/message_signingnvdProduct
docs.px4.io/main/en/mavlink/security_hardeningnvdProduct

News mentions

Blend Autopilot MCP brings AI agent orchestration to lending platforms
Help Net Security · May 4, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000