CVE-2026-33950

CRITICAL

signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Title source: cna
STIX 2.1

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

References (2)

Scores

CVSS v3 9.4
EPSS 0.0003
EPSS Percentile 6.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-285 CWE-288 CWE-862
Status published
Products (4)
npm/signalk-server 0 - 2.24.0-beta.4npm
signalk/signal_k_server 2.24.0 beta1 (3 CPE variants)
signalk/signal_k_server < 2.24.0
SignalK/signalk-server < 2.24.0-beta.4
Published Apr 02, 2026
Tracked Since Apr 02, 2026