CVE-2026-33950 PUBLISHED

signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Assigner: GitHub_M
Reserved: 24.03.2026 Published: 02.04.2026 Updated: 02.04.2026

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 9.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	SignalK
Product	signalk-server
Versions	Version < 2.24.0-beta.4 is affected

References

Problem Types

CWE-285: Improper Authorization CWE
CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE
CWE-862: Missing Authorization CWE