CVE-2026-33950
Received Received - Intake
Privilege Escalation via Admin Role Injection in Signal K Server

Publication date: 2026-04-02

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33950
EUVD
EUVD-2026-18372
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
signalk signal_k_server to 2.24.0 (exc)
signalk signal_k_server 2.24.0
signalk signal_k_server 2.24.0
signalk signal_k_server 2.24.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33950 is a critical privilege escalation vulnerability in the SignalK server application used on boats. The vulnerability exists because the /enableSecurity endpoint, which is intended to be used only once during initial setup to create the first admin account, remains accessible indefinitely. This allows an unauthenticated attacker to send requests to this endpoint at any time.

Because the endpoint does not validate the user role type in the request, an attacker can inject new administrator accounts without authentication. This means the attacker can gain full admin privileges on the server.

The vulnerability arises from the fact that the route is never disabled after initial setup and blindly trusts the 'type' field in the JSON request body, allowing unauthorized creation of admin users.

Compliance Impact

This vulnerability allows an unauthenticated attacker to gain full Administrator access to the SignalK server, enabling modification of sensitive vessel routing data, alteration of server configurations, and access to restricted endpoints.

Such unauthorized access and potential data manipulation can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

The ability to create arbitrary admin accounts without authentication undermines confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.

Therefore, until patched, this vulnerability poses a significant risk to compliance with standards that mandate secure access controls and protection of sensitive information.

Impact Analysis

An unauthenticated attacker exploiting this vulnerability can gain full administrative access to the SignalK server.

  • Modify sensitive vessel routing data.
  • Alter server configurations.
  • Access restricted endpoints that should only be available to authorized users.

This can lead to serious confidentiality and integrity breaches, as well as potential disruption of vessel operations.

Detection Guidance

This vulnerability can be detected by checking if the /skServer/enableSecurity endpoint is accessible and allows unauthenticated POST requests to create admin users even after the initial setup.

A practical detection method is to send a POST request to the /skServer/enableSecurity endpoint with JSON data containing user credentials and the type set to "admin". If the server accepts this request and creates a new admin user without authentication, the system is vulnerable.

  • Use a command like: curl -X POST http://<server_address>/skServer/enableSecurity -H "Content-Type: application/json" -d '{"userId": "testadmin", "password": "testpass", "type": "admin"}'

If the response indicates success and a new admin user is created, the vulnerability exists.

Mitigation Strategies

The immediate mitigation step is to upgrade the SignalK server to version 2.24.0-beta.4 or later, where the vulnerability has been fixed by disabling or removing the /enableSecurity endpoint after the initial setup and properly validating user roles.

Until the upgrade can be performed, restrict network access to the /skServer/enableSecurity endpoint to trusted users only, for example by firewall rules or network segmentation, to prevent unauthenticated access.

Additionally, review existing admin accounts for unauthorized users and revoke any suspicious accounts created via this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart