MAVLink Drone Protocol Lacks Authentication, Enabling Unauthenticated RCE (CVE-2026-1579)

CVE-2026-1579 affects the MAVLink communication protocol, which is the de facto standard for communication between drones, unmanned aerial vehicles (UAVs), and ground control stations. The vulnerability exists because MAVLink does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled (which is the default configuration), any attacker with network access can send arbitrary MAVLink messages including SERIAL_CONTROL commands, which provide shell-level access to connected systems. This vulnerability has critical implications for drone security in both commercial and military contexts, as it could allow attackers to hijack drones, access sensitive telemetry data, or cause physical damage. The vulnerability was published on March 31, 2026, with a CVSS score of 9.8. Organizations and individuals operating MAVLink-based systems should immediately enable MAVLink 2.0 message signing, restrict network access to MAVLink communication channels, and audit their drone fleet configurations. Defense and critical infrastructure operators using autonomous vehicles should treat this as a priority remediation.