CVE-2026-33951
published 2026-04-02CVE-2026-33951: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.31%
22.7th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| signalk | signal_k_server | < 2.24.0 | 2.24.0 |
| signalk | signalk-server | < 2.24.0-beta.1 | 2.24.0-beta.1 |
| signalk | signalk-server | >= 0 < 2.24.0-beta.1 | 2.24.0-beta.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Signal K Server: Unauthenticated Source Priorities Manipulation
ghsa·2026-04-03
CVE-2026-33951 [MEDIUM] CWE-284 Signal K Server: Unauthenticated Source Priorities Manipulation
Signal K Server: Unauthenticated Source Priorities Manipulation
## Summary
The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via `PUT /signalk/v1/api/sourcePriorities`, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration.
As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts.
### Affected Component
- **File**: `src/serverroutes.ts`
- **Endpoint**: `PUT /signalk/v1/api/sourcePriorities` (also accessible at `/skServer/sourcePriorities`)
- **L
OSV
Signal K Server: Unauthenticated Source Priorities Manipulation
osv·2026-04-03
CVE-2026-33951 [MEDIUM] Signal K Server: Unauthenticated Source Priorities Manipulation
Signal K Server: Unauthenticated Source Priorities Manipulation
## Summary
The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via `PUT /signalk/v1/api/sourcePriorities`, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration.
As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts.
### Affected Component
- **File**: `src/serverroutes.ts`
- **Endpoint**: `PUT /signalk/v1/api/sourcePriorities` (also accessible at `/skServer/sourcePriorities`)
- **L
No detection rules found.
No public exploits indexed.
2026-04-02
Published