cbcvebase.
CVE-2026-55591
published 2026-06-18

CVE-2026-55591: Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints ### Summary signalk-server versions up to and including 2.27.0 contain a…

medium9.8
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints

### Summary
signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled `host`, `port`, `useTLS`, and `selfsignedcert` parameters without any validation, allowing an attacker to force the server to make arbitrary HTTP/HTTPS requests to internal network resources, cloud metadata services, and other unintended destinations.

When security is not configured (the default state), these endpoints require **no authentication**.

### Details
#### Vulnerable Function

The core vulnerability is in `makeRemoteRequest()` at `src/serverroutes.ts:2483-2524`:

```typescript
function makeRemoteRequest(
host: string,
port: number,
useTLS: boolean,
selfsignedcert: boolean,
path: string,
method?: string,
headers?: Record,
body?: unknown
): Promise {
const protocol = useTLS ? https : http
return new Promise((resolve, reject) => {
const options = {
hostname: host, // NO VALIDATION - attacker controlled
port, // NO VALIDATION - attacker controlled
path,
method: method || 'GET',
headers: {
...(headers || {}),
...(body ? { 'Content-Type': 'application/json' } : {})
},
rejectUnauthorized: !selfsignedcert // Attacker can disable TLS verification
}
const req = protocol.request(options, (response) => {
let data = ''
response.on('data', (chunk: string) => {
data += chunk
})
response.on('end', () => {
resolve({ status: response.statusCode, data })
})
})
req.on('error', reject)
req.setTimeout(10000, () => {
req.destroy(new Error('Connection timed out'))
})
if (body) {
req.write(JSON.stringify(body))
}
req.end()
})
}
```

#### Missing Validation

The function performs **zero validation** on the destination host. The following address ranges are all reachable:

- **Loopback**: `127.0.0.1`, `::1`, `localhost`
- **RFC 1918 pr

Affected

1 ranges
VendorProductVersion rangeFixed in
signalksignalk-server>= 0 < 2.28.02.28.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.