Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.
Published: 2026-04-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change affecting navigation data source trust
Action: Patch Immediately
AI Analysis

Impact

Signal K Server before version 2.24.0-beta.1 exposes an unauthenticated HTTP endpoint that permits attackers to modify source priorities for GPS, AIS, and other navigation sensors. By sending a PUT request to /signalk/v1/api/sourcePriorities, an attacker can alter which sources the system trusts and uses for critical navigation data. The change takes effect immediately, is persisted to disk, and survives server restarts, meaning the compromised configuration remains in place until corrected. This allows a malicious actor to feed incorrect data into a vessel’s navigation stack, potentially leading to hazardous decisions or collisions. The weakness is a failure to enforce authentication and authorization, categorized as a classic access‑control violation.

Affected Systems

The vulnerability affects all versions of the SignalK signalk-server prior to v2.24.0‑beta.1. Home‑grown deployments or ships running older releases without the patched endpoint are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability, with no EPSS data available and it is not listed in the CISA KEV catalog. The attack vector is remote over HTTP; the endpoint requires no credentials and can be accessed from any host that can reach the server. An attacker only needs network connectivity to issue a crafted PUT request. Since authentication is not enforced, exploitation is straightforward once the server is reachable, but no privilege escalation or code execution is required. Due to the persistence of the changes, the impact is long‑lasting without timely remediation.

Generated by OpenCVE AI on April 2, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SignalK signalk-server to version 2.24.0-beta.1 or later to disable the vulnerable endpoint
  • Verify that the configuration file no longer contains the unauthenticated sourcePriorities route after the update
  • If an immediate update is not possible, block or restrict access to the /signalk/v1/api/sourcePriorities endpoint with firewall rules or network segmentation
  • Monitor signalk logs for unauthorized PUT attempts to the sourcePriorities URI
  • Consider disabling the sourcePriorities endpoint via local configuration if it is not required for operations

Generated by OpenCVE AI on April 2, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.
Title signalk-server: Unauthenticated Source Priorities Manipulation
Weaknesses CWE-284
CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Signalk Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:21:53.516Z

Reserved: 2026-03-24T19:50:52.106Z

Link: CVE-2026-33951

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:23.200

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-33951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:37Z

Weaknesses