CVE-2026-33950
Last modified
CVE-2026-33950 is a critical-severity vulnerability rated 9.4/10 on the CVSS scale. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. EPSS estimates a 0.42% chance of exploitation in the next 30 days.
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Signalk | Signal K Server | < 2.24.0 | — |
| Signalk | Signal K Server | 2.24.0 | Beta1 |
References
- https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4Product, Release Notes
- https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwfExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33950?
How severe is CVE-2026-33950?
How do I fix CVE-2026-33950?
Are you affected by CVE-2026-33950?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST