anonhaven
Ad

CVE-2026-33950

CRITICAL CVSS 3.1: 9.4
Updated Apr 02, 2026
Signal
Parameter Value
CVSS 9.4 (CRITICAL)
Fixed In 2.24.0
Type CWE-288 (Authentication Bypass Using Alternate Path), CWE-862 (Missing Authorization), CWE-285 (Improper Authorization)
Vendor Signal
Public PoC No

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints.

This issue has been patched in version 2.24.0-beta.4.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-288 Authentication Bypass Using Alternate Path
CWE-862 Missing Authorization
CWE-285 Improper Authorization

References 2

https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4
security-advisories@github.com
https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7g…
security-advisories@github.com
Share Post Share Share Share