CVE-2026-33951
Received Received - Intake

Unauthenticated PUT Allows Navigation Data Manipulation in Signal K Server

Vulnerability report for CVE-2026-33951, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-02

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-02
Last Modified
2026-04-06
Generated
2026-07-06
AI Q&A
2026-04-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
signalk signal_k_server to 2.24.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-33951 is a vulnerability in the SignalK Server application, which runs on a central hub in a boat. Before version 2.24.0-beta.1, the server exposes an unauthenticated HTTP PUT endpoint at /signalk/v1/api/sourcePriorities that allows remote attackers to modify navigation data source priorities.

This endpoint does not enforce any authentication or authorization checks and directly assigns user-controlled input to the server's configuration settings. Attackers can send arbitrary JSON data to change which GPS, AIS, or other sensor data sources the system trusts.

The changes are applied immediately and saved to disk, persisting even after server restarts. This means attackers can manipulate the navigation data sources the system relies on without any restrictions.

Impact Analysis

This vulnerability allows unauthorized remote attackers to manipulate the priorities of navigation data sources used by the SignalK Server.

  • Attackers can cause the system to trust incorrect or malicious GPS, AIS, or other sensor data.
  • Such manipulation can lead to incorrect navigation information being used, potentially compromising the safety and operation of the boat.
  • Because the changes persist after server restarts, the impact can be long-lasting until the system is patched or restored.
Detection Guidance

This vulnerability can be detected by monitoring network traffic for unauthenticated HTTP PUT requests to the endpoint /signalk/v1/api/sourcePriorities or /skServer/sourcePriorities. Such requests indicate attempts to modify navigation data source priorities without authentication.

You can use network monitoring tools like tcpdump or Wireshark to capture and filter HTTP PUT requests to these endpoints.

  • Example tcpdump command to detect such requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PUT /signalk/v1/api/sourcePriorities'
  • Alternatively, use curl or similar tools to test if the endpoint is accessible without authentication by sending a PUT request and observing the response.
Mitigation Strategies

The immediate mitigation step is to upgrade the SignalK Server to version 2.24.0-beta.1 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict network access to the SignalK Server to trusted users only, for example by firewall rules or network segmentation, to prevent unauthorized access to the vulnerable endpoint.

Additionally, monitor and audit any changes to the navigation data source priorities configuration to detect unauthorized modifications.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to manipulate navigation data source priorities by exploiting an exposed HTTP endpoint without authentication or authorization. This unauthorized access to critical configuration settings could lead to trust in incorrect or malicious sensor data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the lack of authentication and control over critical system configuration could potentially violate security requirements in these regulations, which mandate protection of data integrity and access controls.

Therefore, this vulnerability may negatively impact compliance with common standards and regulations that require strict access control and data integrity protections.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart