An open stack autopilot implementation for drones and autonomous vehicles, known as MAVLink, has been discovered to have a critical vulnerability (CVE-2026-1579), as reported by CISA. This vulnerability allows attackers to execute arbitrary shell commands on the device without cryptographic authentication through the MAVLink interface.
The vulnerability arises from the lack of cryptographic authentication in the MAVLink protocol by default, making it possible for unauthorized messages to be sent. By exploiting this flaw, an attacker could send a “SERIAL_CONTROL” message, enabling them to execute code in an interactive command shell. To mitigate this security risk, it is advised to implement MAVLink message signing for all communication channels, excluding USB connections.