CVE-2026-34083
OAuth2 Redirect URI Manipulation in Signal K Server Allows Session Hijacking
Publication date: 2026-04-02
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signal_k_server | to 2.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in SignalK Server allows attackers to steal OAuth authorization codes and hijack user sessions by exploiting an unvalidated HTTP Host header in the OIDC login and logout handlers.
This unauthorized access to user sessions and potential interception of sensitive authentication tokens could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over user data confidentiality and session security.
Specifically, the compromise of OAuth tokens may result in unauthorized access to personal or protected health information, undermining compliance with these standards.
Therefore, until patched, deployments of SignalK Server with this vulnerability may be at risk of non-compliance with common security and privacy regulations due to the potential for data breaches and session hijacking.
Can you explain this vulnerability to me?
CVE-2026-34083 is a moderate severity vulnerability in the SignalK Server application affecting its OpenID Connect (OIDC) login and logout handlers prior to version 2.24.0.
The vulnerability arises because the server uses the HTTP Host header, which can be controlled by an attacker, to dynamically construct the OAuth2 redirect_uri when the redirectUri configuration is not set. This violates the OIDC specification that requires redirect_uri to be pre-registered and trusted.
As a result, an attacker can spoof the Host header to cause the server to send OAuth authorization codes to a malicious domain, enabling the attacker to steal these codes and hijack user sessions. Additionally, the logout handler can redirect users to attacker-controlled domains, facilitating phishing or further attacks.
This issue is worsened by official documentation recommending proxy configurations that forward the Host header unmodified, making real-world deployments vulnerable.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to steal OAuth authorization codes intended for your server.
With these stolen codes, attackers can hijack user sessions by exchanging the codes for tokens and impersonating legitimate users.
Furthermore, attackers can manipulate logout redirects to send users to malicious websites, increasing the risk of phishing attacks or other malicious activities.
Overall, this leads to compromised user accounts, unauthorized access, and potential loss of trust in your system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the SignalK Server's OIDC login and logout endpoints for suspicious or spoofed Host headers.
Specifically, you can look for HTTP requests where the Host header is set to unexpected or attacker-controlled domains, which may indicate attempts to exploit the unvalidated Host header.
Suggested commands to detect such activity include using network traffic inspection tools like tcpdump or tshark to filter HTTP requests with unusual Host headers.
- Using tcpdump to capture HTTP traffic and filter for Host headers not matching your legitimate domain: tcpdump -i <interface> -A 'tcp port 80' | grep -i 'Host:'
- Using tshark to filter HTTP Host headers that do not match your expected domain: tshark -i <interface> -Y 'http.host and not http.host contains "yourlegitdomain.com"'
Additionally, reviewing server logs for OIDC login and logout requests with unexpected Host header values can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the SignalK Server to version 2.24.0 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, you should configure the OIDC redirectUri explicitly in the server configuration to avoid fallback to the unvalidated Host header.
Additionally, review and modify any reverse proxy configurations (such as Nginx) to avoid forwarding the client-supplied Host header unmodified. Instead, set the Host header to a fixed, trusted value.
- Explicitly set the redirectUri in the OIDC configuration to a fixed, pre-registered URI.
- Modify Nginx proxy configuration to use a fixed Host header, for example: proxy_set_header Host yourlegitdomain.com;
These steps prevent attackers from injecting malicious Host headers and stealing OAuth authorization codes or hijacking sessions.