{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.106Z", "datePublished": "2026-04-02T16:11:58.762Z", "dateUpdated": "2026-04-02T16:21:53.516Z"}, "containers": {"cna": {"title": "signalk-server: Unauthenticated Source Priorities Manipulation", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5"}, {"name": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 2.24.0-beta.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:11:58.762Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1."}], "source": {"advisory": "GHSA-gfmv-vh34-h2x5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:21:02.812192Z", "id": "CVE-2026-33951", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:21:53.516Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1."}], "id": "CVE-2026-33951", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:23.200", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.24.0-beta.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "signalk-server", "source": "cna", "vendor": "SignalK"}, "product": "signalk-server", "vendor": "signalk"}], "analysis": {"en": {"generated_at": "2026-04-02T21:59:04.223692+00:00", "value": {"mitigation_remediation": ["Update SignalK signalk-server to version 2.24.0-beta.1 or later to disable the vulnerable endpoint", "Verify that the configuration file no longer contains the unauthenticated sourcePriorities route after the update", "If an immediate update is not possible, block or restrict access to the /signalk/v1/api/sourcePriorities endpoint with firewall rules or network segmentation", "Monitor signalk logs for unauthorized PUT attempts to the sourcePriorities URI", "Consider disabling the sourcePriorities endpoint via local configuration if it is not required for operations"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized configuration change affecting navigation data source trust"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the SignalK signalk-server prior to v2.24.0\u2011beta.1. Home\u2011grown deployments or ships running older releases without the patched endpoint are at risk.", "description_and_impact": "Signal K Server before version 2.24.0-beta.1 exposes an unauthenticated HTTP endpoint that permits attackers to modify source priorities for GPS, AIS, and other navigation sensors. By sending a PUT request to /signalk/v1/api/sourcePriorities, an attacker can alter which sources the system trusts and uses for critical navigation data. The change takes effect immediately, is persisted to disk, and survives server restarts, meaning the compromised configuration remains in place until corrected. This allows a malicious actor to feed incorrect data into a vessel\u2019s navigation stack, potentially leading to hazardous decisions or collisions. The weakness is a failure to enforce authentication and authorization, categorized as a classic access\u2011control violation.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity vulnerability, with no EPSS data available and it is not listed in the CISA KEV catalog. The attack vector is remote over HTTP; the endpoint requires no credentials and can be accessed from any host that can reach the server. An attacker only needs network connectivity to issue a crafted PUT request. Since authentication is not enforced, exploitation is straightforward once the server is reachable, but no privilege escalation or code execution is required. Due to the persistence of the changes, the impact is long\u2011lasting without timely remediation."}}}}, "created": "2026-04-03T07:36:15.018294+00:00", "updated": "2026-04-03T09:18:37.068404+00:00", "vendors": ["signalk", "signalk$PRODUCT$signalk-server"]}