Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Published: 2026-04-02
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Immediate Patch
AI Analysis

Impact

Signal K Server allows an unauthenticated attacker to inject an administrator role via the /enableSecurity endpoint, elevating to full administrator privileges. This enables modification of sensitive vessel routing data, alteration of server configurations, and unrestricted access to protected endpoints, thereby compromising data integrity and operational control.

Affected Systems

Signal K Server versions prior to 2.24.0‑beta.4 are affected. The vulnerability has been fixed in release 2.24.0‑beta.4 and later.

Risk and Exploitability

The flaw holds a CVSS score of 9.4, indicating a critical severity. Based on the description, the attack vector is likely a simple HTTP request to a publicly reachable endpoint, meaning an attacker only needs network connectivity to the server. No public exploits are listed and the vulnerability is not in the KEV catalog, but its high severity and ease of exploitation make it a significant threat. Because the EPSS score is not available, the exact probability of exploitation remains unknown.

Generated by OpenCVE AI on April 2, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy Signal K Server version 2.24.0‑beta.4 or later to apply the vendor patch.
  • Restart the service after the upgrade to ensure changes take effect.
  • If an upgrade cannot be performed immediately, restrict network access to the /enableSecurity endpoint, for example by firewall rules or network segmentation, to prevent unauthenticated requests.
  • Verify that the /enableSecurity endpoint no longer accepts role injection requests by testing with an unauthenticated client.

Generated by OpenCVE AI on April 2, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Title signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Weaknesses CWE-285
CWE-288
CWE-862
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Signalk Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:02:34.324Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33950

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:22.993

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-33950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:37Z

Weaknesses