Home

Description

A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2026-02-01 | Published 2026-02-02 | Updated 2026-02-23 | Assigner VulDB




LOW: 2.3CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
LOW: 3.1CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R
LOW: 3.1CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R
1.8AV:A/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR

Problem types

Authentication Bypass by Capture-replay

Improper Authentication

Product status

01.00
affected

01.00
affected

01.00
affected

01.00
affected

Timeline

2026-02-01:Advisory disclosed
2026-02-01:VulDB entry created
2026-02-02:VulDB entry last update

Credits

byteme1001 (VulDB User) reporter

byteme1001 (VulDB User) analyst

References

vuldb.com/?id.343674 (VDB-343674 | DJI Mavic Mini/Air/Spark/Mini SE Enhanced Wi-Fi Pairing authentication replay) vdb-entry

vuldb.com/?ctiid.343674 (VDB-343674 | CTI Indicators (IOB, IOC, TTP)) signature permissions-required

vuldb.com/?submit.741323 (Submit #741323 | DJI DJI Mavic Mini, Spark, Mini SE 01.00.0500 and Below Authentication Bypass by Capture-replay) third-party-advisory

github.com/ByteMe1001/DJI-CatNect related

github.com/ByteMe1001/DJI-CatNect/blob/main/exploit.c exploit

cve.org (CVE-2026-1743)

nvd.nist.gov (CVE-2026-1743)

Download JSON