CVE-2026-34083
Received Received - Intake
OAuth2 Redirect URI Manipulation in Signal K Server Allows Session Hijacking

Publication date: 2026-04-02

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34083
EUVD
EUVD-2026-18376
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
signalk signal_k_server to 2.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in SignalK Server allows attackers to steal OAuth authorization codes and hijack user sessions by exploiting an unvalidated HTTP Host header in the OIDC login and logout handlers.

This unauthorized access to user sessions and potential interception of sensitive authentication tokens could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over user data confidentiality and session security.

Specifically, the compromise of OAuth tokens may result in unauthorized access to personal or protected health information, undermining compliance with these standards.

Therefore, until patched, deployments of SignalK Server with this vulnerability may be at risk of non-compliance with common security and privacy regulations due to the potential for data breaches and session hijacking.

Executive Summary

CVE-2026-34083 is a moderate severity vulnerability in the SignalK Server application affecting its OpenID Connect (OIDC) login and logout handlers prior to version 2.24.0.

The vulnerability arises because the server uses the HTTP Host header, which can be controlled by an attacker, to dynamically construct the OAuth2 redirect_uri when the redirectUri configuration is not set. This violates the OIDC specification that requires redirect_uri to be pre-registered and trusted.

As a result, an attacker can spoof the Host header to cause the server to send OAuth authorization codes to a malicious domain, enabling the attacker to steal these codes and hijack user sessions. Additionally, the logout handler can redirect users to attacker-controlled domains, facilitating phishing or further attacks.

This issue is worsened by official documentation recommending proxy configurations that forward the Host header unmodified, making real-world deployments vulnerable.

Impact Analysis

This vulnerability can impact you by allowing attackers to steal OAuth authorization codes intended for your server.

With these stolen codes, attackers can hijack user sessions by exchanging the codes for tokens and impersonating legitimate users.

Furthermore, attackers can manipulate logout redirects to send users to malicious websites, increasing the risk of phishing attacks or other malicious activities.

Overall, this leads to compromised user accounts, unauthorized access, and potential loss of trust in your system.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the SignalK Server's OIDC login and logout endpoints for suspicious or spoofed Host headers.

Specifically, you can look for HTTP requests where the Host header is set to unexpected or attacker-controlled domains, which may indicate attempts to exploit the unvalidated Host header.

Suggested commands to detect such activity include using network traffic inspection tools like tcpdump or tshark to filter HTTP requests with unusual Host headers.

  • Using tcpdump to capture HTTP traffic and filter for Host headers not matching your legitimate domain: tcpdump -i <interface> -A 'tcp port 80' | grep -i 'Host:'
  • Using tshark to filter HTTP Host headers that do not match your expected domain: tshark -i <interface> -Y 'http.host and not http.host contains "yourlegitdomain.com"'

Additionally, reviewing server logs for OIDC login and logout requests with unexpected Host header values can help identify exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the SignalK Server to version 2.24.0 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, you should configure the OIDC redirectUri explicitly in the server configuration to avoid fallback to the unvalidated Host header.

Additionally, review and modify any reverse proxy configurations (such as Nginx) to avoid forwarding the client-supplied Host header unmodified. Instead, set the Host header to a fixed, trusted value.

  • Explicitly set the redirectUri in the OIDC configuration to a fixed, pre-registered URI.
  • Modify Nginx proxy configuration to use a fixed Host header, for example: proxy_set_header Host yourlegitdomain.com;

These steps prevent attackers from injecting malicious Host headers and stealing OAuth authorization codes or hijacking sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart