Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.
Published: 2026-04-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: OAuth Code Hijacking & Session Impersonation
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when the server builds the OAuth2 redirect_uri from an unvalidated HTTP Host header during the OIDC login and logout handlers. Because the redirectUri configuration is left empty by default, an attacker can forge the Host header so that the OAuth provider sends the authorization code to a domain controlled by the attacker. This allows the attacker to obtain a valid OAuth code and hijack a victim’s session, impersonating them without credentials. The flaw is rooted in CWE‑346 (Untrusted Content for Authentication) and CWE‑601 (Open Redirect) weaknesses where untrusted input is used to control critical authentication flow parameters.

Affected Systems

Any instance of Signal K Server running a version earlier than v2.24.0 is affected. The product is the central hub software used on boats, and the vulnerable code resides in its OIDC login and logout handlers. Users who have not applied the 2.24.0 release or otherwise configured a fixed redirect_uri remain susceptible.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity. The vulnerability has not been observed in the CISA KEV catalog, and EPSS data is unavailable. Exploitation requires only the ability to send a crafted HTTP request to the server’s OIDC endpoints, targeting the Host header. No local privileges or additional services are needed, making the attack condition straightforward for an adversary with network access to the server. The attack vector is inferred to be remote over the network.

Generated by OpenCVE AI on April 2, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Signal K Server to version 2.24.0 or later to apply the fix that validates the redirect_uri.
  • Configure a fixed redirect_uri in the OIDC settings to prevent host header injection.
  • Restrict the Host header to known, trusted domains using web‑server or firewall rules.
  • If OIDC is not needed, disable the OIDC feature entirely to eliminate the attack surface.
  • Monitor for unexpected OAuth tokens or session hijack activity as a supplement to patching.

Generated by OpenCVE AI on April 2, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.
Title signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Weaknesses CWE-346
CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Signalk Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T17:39:18.548Z

Reserved: 2026-03-25T16:21:40.869Z

Link: CVE-2026-34083

cve-icon Vulnrichment

Updated: 2026-04-02T17:39:08.718Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:23.403

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:36Z

Weaknesses