Skip to main content

Signalk Server CVE-2026-33951

| EUVDEUVD-2026-18374 MEDIUM
Improper Access Control (CWE-284)
2026-04-02 GitHub_M GHSA-gfmv-vh34-h2x5
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 16:30 euvd
EUVD-2026-18374
Analysis Generated
Apr 02, 2026 - 16:30 vuln.today
CVE Published
Apr 02, 2026 - 16:11 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.

AnalysisAI

SignalK Server prior to version 2.24.0-beta.1 allows unauthenticated remote attackers to modify navigation data source priorities through an unprotected PUT endpoint (/signalk/v1/api/sourcePriorities), enabling manipulation of which GPS, AIS, and sensor data sources are trusted by the maritime navigation system. The malicious configuration changes are immediately applied and persisted to disk, surviving server restarts and potentially causing the vessel to rely on attacker-controlled or spoofed navigation data. No public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

SignalK Server is a standardized marine data exchange platform that aggregates sensor data from multiple sources (GPS, AIS transponders, electronic depth finders, wind instruments) into a unified interface for navigation systems aboard vessels. The vulnerability exploits a missing authentication control on a management API endpoint that directly modifies the sourcePriorities configuration object without validating the requester's identity or authorization. CWE-284 (Improper Access Control) categorizes the root cause as insufficient access control enforcement on a privileged administrative function. The HTTP PUT method on /signalk/v1/api/sourcePriorities accepts user-controlled JSON payloads that directly update the server's source priority rankings, which determine the weighting and trust order of multiple navigation data feeds. Because changes are written to persistent storage, the manipulation survives process restarts and becomes a lasting compromise of system integrity.

RemediationAI

Upgrade SignalK Server to version 2.24.0-beta.1 or later immediately. This patched version restores authentication and authorization enforcement on the sourcePriorities endpoint. Until patching is possible, restrict network access to the SignalK Server HTTP API using firewall rules or network segmentation, allowing only trusted administrative hosts to reach port 3000 (default) or the configured API port. Disable remote management capabilities if the server is not required to accept commands from outside the local network. Review server logs for any unauthorized PUT requests to /signalk/v1/api/sourcePriorities that may indicate prior compromise, and verify that source priority settings reflect legitimate vessel configuration. Full patch details and release notes are available at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1.

Share

CVE-2026-33951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy