CVE-2026-34083

Name of the Vulnerable Software and Affected Versions: SignalK Server versions prior to 2.24.0

Description: SignalK Server contains a code-level issue in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions. The OIDC provider will then send the authorization code to the injected domain. The vulnerability is amplified by the official documentation recommending an Nginx configuration that forwards the vulnerable Host header. The issue affects the login handler in 'oidc-auth.ts' (lines 278-282) and the logout handler in 'oidc-auth.ts' (lines 513-515), both utilizing the attacker-controlled host header to construct redirect URIs.

Recommendations: Update to SignalK Server version 2.24.0 or later.