CISA Issues High-Severity Alert for Critical PX4 Autopilot Vulnerability The Cybersecurity and Infrastructure Security Agency (CISA) has released a high-priority alert regarding a severe vulnerability in the PX4 Autopilot system, a widely used open-source flight control software for drones and unmanned aerial vehicles (UAVs). Tracked as CVE-2026-1579, the flaw carries a CVSS score of 9.8, indicating a near-maximum risk level. The vulnerability stems from a "Missing Authentication for Critical Function" error in the software’s MAVLink interface a messaging protocol that facilitates communication between drones and ground control stations. Attackers with access to the MAVLink interface can exploit this weakness to bypass security checks, execute arbitrary shell commands, and hijack drone operations without authentication. The flaw specifically affects PX4 Autopilot version v1.16.0_SITL_latest_stable and poses significant risks to critical infrastructure sectors, including transportation, emergency services, and defense operations. A successful exploit could lead to data theft, disrupted emergency responses, or compromised military and industrial drone activities. Discovered by security researcher Dolev Aviv of Cyviation, the vulnerability was detailed in CISA advisory ICSA-26-090-02, published on March 31, 2026. Until a patch is released, organizations are advised to restrict MAVLink access to trusted networks to mitigate exposure. Drone operators and entities relying on PX4 Autopilot are urged to monitor official updates and implement defensive measures to secure their systems.