Skip to main content

Signalk Server EUVDEUVD-2026-18372

| CVE-2026-33950 CRITICAL
Improper Authorization (CWE-285)
2026-04-02 GitHub_M GHSA-x8hc-fqv3-7gwf
9.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 16:30 euvd
EUVD-2026-18372
Analysis Generated
Apr 02, 2026 - 16:30 vuln.today
CVE Published
Apr 02, 2026 - 16:08 nvd
CRITICAL 9.4

DescriptionGitHub Advisory

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

AnalysisAI

Unauthenticated privilege escalation in SignalK Server (versions prior to 2.24.0-beta.4) allows remote attackers to inject administrator roles via the /enableSecurity endpoint, granting full administrative control without credentials. Attackers can modify vessel routing data, alter server configurations, and access all restricted endpoints. No public exploit identified at time of analysis, but the critical CVSS 9.4 score reflects the trivial exploit complexity (AV:N/AC:L/PR:N) and high confidentiality/integrity impact to marine vessel control systems.

Technical ContextAI

SignalK Server is a Node.js-based marine data hub that aggregates sensor data (GPS, AIS, depth sounders) and provides APIs for vessel monitoring and automation. The vulnerability stems from improper privilege management (CWE-285) in the security initialization endpoint /enableSecurity. This endpoint should only allow authenticated administrators to configure security settings, but instead accepts unauthenticated requests that can inject admin role assignments. The affected product signalk:signalk-server lacks proper authorization checks during the security configuration phase, allowing attackers to bootstrap themselves into the admin role before authentication mechanisms are fully enforced. This represents a fundamental flaw in the security model's initialization sequence where privilege decisions are made without verifying the requester's identity.

RemediationAI

Immediately upgrade to SignalK Server version 2.24.0-beta.4 or later, available from the official release at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4. Organizations unable to deploy the beta release should implement network-level access controls to restrict /enableSecurity endpoint access to trusted management networks only, using firewall rules or reverse proxy authentication. Review server logs for unauthorized access attempts to the /enableSecurity endpoint (suspicious POST requests from unknown IPs). After patching, verify all user accounts and role assignments, removing any unauthorized admin accounts created via exploitation. Consult the GitHub security advisory https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf for vendor-specific remediation guidance and detection indicators. For maritime operational technology environments, coordinate patching with vessel maintenance windows to avoid disrupting navigation systems during active operations.

Share

EUVD-2026-18372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy