CVE-2026-33950

Received

Published: 02 Apr 2026, 16:08

Last modified:02 Apr 2026, 16:08

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.4 CRITICAL

v3.1 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Apr 2026, 16:08

Published

Vulnerability first disclosed

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

CVSS Metrics

v3.1•CRITICAL•Score: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Techniques & Countermeasures

CWE-285•Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-288•Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-862•Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

signalk•signalk-server
< 2.24.0-beta.4