CVE-2026-33950
Privilege Escalation via Admin Role Injection in Signal K Server
Publication date: 2026-04-02
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signal_k_server | to 2.24.0 (exc) |
| signalk | signal_k_server | 2.24.0 |
| signalk | signal_k_server | 2.24.0 |
| signalk | signal_k_server | 2.24.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33950 is a critical privilege escalation vulnerability in the SignalK server application used on boats. The vulnerability exists because the /enableSecurity endpoint, which is intended to be used only once during initial setup to create the first admin account, remains accessible indefinitely. This allows an unauthenticated attacker to send requests to this endpoint at any time.
Because the endpoint does not validate the user role type in the request, an attacker can inject new administrator accounts without authentication. This means the attacker can gain full admin privileges on the server.
The vulnerability arises from the fact that the route is never disabled after initial setup and blindly trusts the 'type' field in the JSON request body, allowing unauthorized creation of admin users.
How can this vulnerability impact me? :
An unauthenticated attacker exploiting this vulnerability can gain full administrative access to the SignalK server.
- Modify sensitive vessel routing data.
- Alter server configurations.
- Access restricted endpoints that should only be available to authorized users.
This can lead to serious confidentiality and integrity breaches, as well as potential disruption of vessel operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /skServer/enableSecurity endpoint is accessible and allows unauthenticated POST requests to create admin users even after the initial setup.
A practical detection method is to send a POST request to the /skServer/enableSecurity endpoint with JSON data containing user credentials and the type set to "admin". If the server accepts this request and creates a new admin user without authentication, the system is vulnerable.
- Use a command like: curl -X POST http://<server_address>/skServer/enableSecurity -H "Content-Type: application/json" -d '{"userId": "testadmin", "password": "testpass", "type": "admin"}'
If the response indicates success and a new admin user is created, the vulnerability exists.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the SignalK server to version 2.24.0-beta.4 or later, where the vulnerability has been fixed by disabling or removing the /enableSecurity endpoint after the initial setup and properly validating user roles.
Until the upgrade can be performed, restrict network access to the /skServer/enableSecurity endpoint to trusted users only, for example by firewall rules or network segmentation, to prevent unauthenticated access.
Additionally, review existing admin accounts for unauthorized users and revoke any suspicious accounts created via this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to gain full Administrator access to the SignalK server, enabling modification of sensitive vessel routing data, alteration of server configurations, and access to restricted endpoints.
Such unauthorized access and potential data manipulation can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.
The ability to create arbitrary admin accounts without authentication undermines confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.
Therefore, until patched, this vulnerability poses a significant risk to compliance with standards that mandate secure access controls and protection of sensitive information.