CVE-2026-33950

CVSS v3.1

9.4

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.4

Description Signal K Server, a server application used in marine navigation systems, contains a privilege escalation issue. An unauthenticated attacker can exploit this to gain full Administrator access to the server. This is achieved through Admin Role Injection via the '/enableSecurity' API endpoint. Successful exploitation allows modification of sensitive vessel routing data, alteration of server configurations, and access to restricted endpoints.

Recommendations Update Signal K Server to version 2.24.0-beta.4 or later.

Fix

LPE

Missing Authorization

Authentication Bypass Using an Alternate Path or Channel

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-288CWE-285

Related Identifiers

CVE-2026-33950

GHSA-X8HC-FQV3-7GWF

Affected Products

Signal K Server

CVE-2026-33950

Weakness Enumeration

Related Identifiers

Affected Products

References · 9