CVE-2026-33951

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.1

Description The Signal K Server has an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. The endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. Attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk. The vulnerable code is located in src/serverroutes.ts lines 1064-1076 within the source priorities configuration handler function. The issue stems from missing authentication, direct configuration assignment, persistent storage of malicious configuration, live configuration updates, and a lack of input validation.

Recommendations Update Signal K Server to version 2.24.0-beta.1 or later.