CVE-2026-33950
published 2026-04-02CVE-2026-33950: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by…
PriorityP264critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.42%
33.5th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| signalk | signal_k_server | < 2.24.0 | 2.24.0 |
| signalk | signal_k_server | — | — |
| signalk | signalk-server | < 2.24.0-beta.4 | 2.24.0-beta.4 |
| signalk | signalk-server | >= 0 < 2.24.0-beta.4 | 2.24.0-beta.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
osv·2026-04-03
CVE-2026-33950 [CRITICAL] Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
## Summary
According to SignalK's security documentation, when a server is first initialized without security enabled, the **/skServer/enableSecurity** endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.
However, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the **/skServer/enableSecurity** route remains perpetually open.
Furthermore, the endpoint explicitly trusts the **type** field provided in the request body, passing it directly into the serve
GHSA
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
ghsa·2026-04-03
CVE-2026-33950 [CRITICAL] CWE-285 Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
## Summary
According to SignalK's security documentation, when a server is first initialized without security enabled, the **/skServer/enableSecurity** endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.
However, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the **/skServer/enableSecurity** route remains perpetually open.
Furthermore, the endpoint explicitly trusts the **type** field provided in the request body, passing it directly into the serve
No detection rules found.
No public exploits indexed.
2026-04-02
Published