CVE-2026-48117 | DroneAware is a drone detection platform. The centralized Dr… | CVSS 6.8 MEDIUM

Description

DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable.

Metadata

CVE ID: CVE-2026-48117
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-20 18:46 UTC
Published: 2026-06-17 14:02 UTC
Last updated: 2026-06-17 15:41 UTC
Primary CWE: CWE-287
CWE-287: Improper Authentication
Vendor / Product: fduflyer / DroneAware-Node-Releases
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
fduflyer	DroneAware-Node-Releases	—	< server-2026-05-20

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication
CWE-302	cna	CWE-302: Authentication Bypass by Assumed-Immutable Data

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (1)

https://github.com/fduflyer/DroneAware-Node-Releases/security/advisories/GHSA-h243-pmjf-chcj https://github.com/fduflyer/DroneAware-Node-Releases/security/advisories/GHSA-h243-pmjf-chcj