Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.
Published: 2026-02-02
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure and potential manipulation of files via path traversal
Action: Apply patch
AI Analysis

Impact

Signal K Server's applicationData API contains a path traversal flaw that allows authenticated users on Windows systems to read, write, and list arbitrary files and directories. The validateAppId() function blocks forward slashes but does not remove backslashes, which on Windows are interpreted as directory separators by path.join(), enabling an attacker to escape the intended applicationData directory. This flaw can lead to accidental or intentional disclosure of sensitive data and unauthorized modification of files, undermining confidentiality and integrity of the vessel’s data environment.

Affected Systems

SignalK Server versions prior to 2.20.3 on Windows operating systems are affected. The vulnerability is fixed in version 2.20.3 and later, so upgrading to at least that release removes the risk.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The flaw requires the attacker to be an authenticated user on a Windows system, but once those conditions are met, the attacker can traverse directories and access or modify any files the process can read or write, potentially compromising critical operational data.

Generated by OpenCVE AI on April 18, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Signal K Server to version 2.20.3 or later to eliminate the path traversal vulnerability.
  • Restrict authentication to trusted users only and review the applicationData API permissions to prevent unauthorized file access.
  • If an upgrade cannot be performed immediately, consider applying OS‑level access controls to the Signal K Server process directory to limit file system visibility and deny directory traversal attempts by non‑privileged users.

Generated by OpenCVE AI on April 18, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrhw-v2hw-jffx SignalK Server has Path Traversal leading to information disclosure
History

Fri, 20 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signal K Server
Signalk signalk-server
Vendors & Products Signalk
Signalk signal K Server
Signalk signalk-server

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.
Title SignalK Server has Path Traversal leading to information disclosure
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Microsoft Windows
Signalk Signal K Server Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:09:42.637Z

Reserved: 2026-01-30T14:44:47.328Z

Link: CVE-2026-25228

cve-icon Vulnrichment

Updated: 2026-02-04T21:09:39.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:10.080

Modified: 2026-02-20T15:13:59.497

Link: CVE-2026-25228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses