CVE-2026-33950 - Vulnerability Details

- signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

Published: 2026-04-02

Score: 9.4 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Signal K Server contains a flaw that permits an unauthenticated user to invoke the /enableSecurity endpoint and inject an administrative role. This bypasses all authentication checks and elevates the attacker to full Administrator level, allowing control over vessel routing data, server configuration, and access to sensitive endpoints, thereby compromising the integrity and availability of the vessel’s systems.

Affected Systems

Signal K Server, produced by SignalK, is affected in all releases prior to 2.24.0-beta.4, including the beta1, beta2, and beta3 builds. The vulnerability is fixed in version 2.24.0-beta.4 and later.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, indicating a critical severity. However, the EPSS score is below 1%, suggesting a low current exploitation probability. It is not listed in CISA’s KEV catalog. An attacker can exploit this remotely by sending an HTTP request to the /enableSecurity endpoint from any network segment that can reach the server, which poses a significant risk for vessels with exposed or unprotected network access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SignalK

signalk-server

affected

Version	Status	Constraints
`< 2.24.0-beta.4`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:signalk:signal_k_server::::::::
	cpe:2.3:a:signalk:signal_k_server:2.24.0:beta1::::::
	cpe:2.3:a:signalk:signal_k_server:2.24.0:beta2::::::
	cpe:2.3:a:signalk:signal_k_server:2.24.0:beta3::::::

No data.

Vendor Product Confidence Versions

Signalk

Signalk-server

100%

Version	Status	Scheme	Platform
`[0,2.24.0-beta.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Signal K Server to version 2.24.0-beta.4 or newer

Generated by OpenCVE AI on April 6, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-x8hc-fqv3-7gwf	Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4
https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf

History

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Signalk signal K Server
CPEs		cpe:2.3:a:signalk:signal_k_server:::::::: cpe:2.3:a:signalk:signal_k_server:2.24.0:beta1:::::: cpe:2.3:a:signalk:signal_k_server:2.24.0:beta2:::::: cpe:2.3:a:signalk:signal_k_server:2.24.0:beta3::::::
Vendors & Products		Signalk signal K Server

Fri, 03 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Signalk Signalk signalk-server
Vendors & Products		Signalk Signalk signalk-server

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Title		signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Weaknesses		CWE-285 CWE-288 CWE-862
References		https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4 https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf
Metrics		cvssV3_1 `{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Signalk Signal K Server Signalk-server

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T16:08:59.415Z

Updated: 2026-04-03T18:02:34.324Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33950

Vulnrichment

Updated: 2026-04-03T18:00:56.514Z

NVD

Status : Analyzed

Published: 2026-04-02T17:16:22.993

Modified: 2026-04-06T15:04:42.720

Link: CVE-2026-33950

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T07:56:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object