CVE-2026-33950

EUVD-2026-18372

02.04.2026, 17:16

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.4 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
signalk	signal_k_server	𝑥 < 2.24.0
signalk	signal_k_server	2.24.0:beta1
signalk	signal_k_server	2.24.0:beta2
signalk	signal_k_server	2.24.0:beta3

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4

https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf