CVE-2026-33950

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33950
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

9.4 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4 Product Release Notes
https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
cpe:2.3:a:signalk:signal_k_server:2.24.0:beta1:*:*:*:*:*:*
cpe:2.3:a:signalk:signal_k_server:2.24.0:beta2:*:*:*:*:*:*
cpe:2.3:a:signalk:signal_k_server:2.24.0:beta3:*:*:*:*:*:*
History

06 Apr 2026, 15:04

Type Values Removed Values Added
References () https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4 - () https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4 - Product, Release Notes
References () https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf - () https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf - Exploit, Vendor Advisory
CPE cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
cpe:2.3:a:signalk:signal_k_server:2.24.0:beta3:*:*:*:*:*:*
cpe:2.3:a:signalk:signal_k_server:2.24.0:beta1:*:*:*:*:*:*
cpe:2.3:a:signalk:signal_k_server:2.24.0:beta2:*:*:*:*:*:*
First Time Signalk
Signalk signal K Server

02 Apr 2026, 17:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-04-02 17:16

Updated : 2026-04-06 15:04

NVD link : CVE-2026-33950

Mitre link : CVE-2026-33950

CVE.ORG link : CVE-2026-33950

JSON object : View

Products Affected

signalk

  • signal_k_server
CWE
CWE-285

Improper Authorization

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-862

Missing Authorization