Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
AnalysisAI
Unauthenticated privilege escalation in SignalK Server (versions prior to 2.24.0-beta.4) allows remote attackers to inject administrator roles via the /enableSecurity endpoint, granting full administrative control without credentials. Attackers can modify vessel routing data, alter server configurations, and access all restricted endpoints. No public exploit identified at time of analysis, but the critical CVSS 9.4 score reflects the trivial exploit complexity (AV:N/AC:L/PR:N) and high confidentiality/integrity impact to marine vessel control systems.
Technical ContextAI
SignalK Server is a Node.js-based marine data hub that aggregates sensor data (GPS, AIS, depth sounders) and provides APIs for vessel monitoring and automation. The vulnerability stems from improper privilege management (CWE-285) in the security initialization endpoint /enableSecurity. This endpoint should only allow authenticated administrators to configure security settings, but instead accepts unauthenticated requests that can inject admin role assignments. The affected product signalk:signalk-server lacks proper authorization checks during the security configuration phase, allowing attackers to bootstrap themselves into the admin role before authentication mechanisms are fully enforced. This represents a fundamental flaw in the security model's initialization sequence where privilege decisions are made without verifying the requester's identity.
RemediationAI
Immediately upgrade to SignalK Server version 2.24.0-beta.4 or later, available from the official release at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4. Organizations unable to deploy the beta release should implement network-level access controls to restrict /enableSecurity endpoint access to trusted management networks only, using firewall rules or reverse proxy authentication. Review server logs for unauthorized access attempts to the /enableSecurity endpoint (suspicious POST requests from unknown IPs). After patching, verify all user accounts and role assignments, removing any unauthorized admin accounts created via exploitation. Consult the GitHub security advisory https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf for vendor-specific remediation guidance and detection indicators. For maritime operational technology environments, coordinate patching with vessel maintenance windows to avoid disrupting navigation systems during active operations.
More in Signalk Server
View allSignalK Server prior to version 2.24.0-beta.1 allows unauthenticated remote attackers to modify navigation data source p
SignalK Server versions prior to 2.24.0 allow unauthenticated attackers to hijack OAuth2 sessions and steal authorizatio
Signal K Server prior to version 2.24.0 permits low-privileged authenticated users to bypass prototype boundary filterin
Same weakness CWE-285 – Improper Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18372
GHSA-x8hc-fqv3-7gwf