{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33950", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-02T16:08:59.415Z", "dateUpdated": "2026-04-03T18:02:34.324Z"}, "containers": {"cna": {"title": "signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"}, {"name": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 2.24.0-beta.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:08:59.415Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}], "source": {"advisory": "GHSA-x8hc-fqv3-7gwf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T18:00:30.341852Z", "id": "CVE-2026-33950", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:02:34.324Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33950", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-02T16:08:59.415Z", "dateUpdated": "2026-04-03T18:02:34.324Z"}, "containers": {"cna": {"title": "signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"}, {"name": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 2.24.0-beta.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:08:59.415Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}], "source": {"advisory": "GHSA-x8hc-fqv3-7gwf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33950", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T18:00:30.341852Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:00:56.514Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}], "id": "CVE-2026-33950", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:22.993", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.24.0-beta.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "signalk-server", "source": "cna", "vendor": "SignalK"}, "product": "signalk-server", "vendor": "signalk"}], "analysis": {"en": {"generated_at": "2026-04-02T23:25:06.978603+00:00", "value": {"mitigation_remediation": ["Deploy Signal K Server version 2.24.0\u2011beta.4 or later to apply the vendor patch.", "Restart the service after the upgrade to ensure changes take effect.", "If an upgrade cannot be performed immediately, restrict network access to the /enableSecurity endpoint, for example by firewall rules or network segmentation, to prevent unauthenticated requests.", "Verify that the /enableSecurity endpoint no longer accepts role injection requests by testing with an unauthenticated client."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "Signal K Server versions prior to 2.24.0\u2011beta.4 are affected. The vulnerability has been fixed in release 2.24.0\u2011beta.4 and later.", "description_and_impact": "Signal K Server allows an unauthenticated attacker to inject an administrator role via the /enableSecurity endpoint, elevating to full administrator privileges. This enables modification of sensitive vessel routing data, alteration of server configurations, and unrestricted access to protected endpoints, thereby compromising data integrity and operational control.", "risk_and_exploitability": "The flaw holds a CVSS score of 9.4, indicating a critical severity. Based on the description, the attack vector is likely a simple HTTP request to a publicly reachable endpoint, meaning an attacker only needs network connectivity to the server. No public exploits are listed and the vulnerability is not in the KEV catalog, but its high severity and ease of exploitation make it a significant threat. Because the EPSS score is not available, the exact probability of exploitation remains unknown."}}}}, "created": "2026-04-03T07:36:15.914733+00:00", "updated": "2026-04-03T09:18:37.972039+00:00", "vendors": ["signalk", "signalk$PRODUCT$signalk-server"]}