{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33950", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-02T16:08:59.415Z", "dateUpdated": "2026-04-03T18:02:34.324Z"}, "containers": {"cna": {"title": "signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"}, {"name": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 2.24.0-beta.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:08:59.415Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}], "source": {"advisory": "GHSA-x8hc-fqv3-7gwf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T18:00:30.341852Z", "id": "CVE-2026-33950", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:02:34.324Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33950", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T18:00:30.341852Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:00:56.514Z"}}], "cna": {"title": "signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity", "source": {"advisory": "GHSA-x8hc-fqv3-7gwf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"status": "affected", "version": "< 2.24.0-beta.4"}]}], "references": [{"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf", "name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4", "name": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:08:59.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33950", "state": "PUBLISHED", "dateUpdated": "2026-04-03T18:02:34.324Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T16:08:59.415Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "64F9BA25-5552-4477-84F9-83E71B2CA56F", "versionEndExcluding": "2.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:signalk:signal_k_server:2.24.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "2484CB8F-BFFE-4F61-ACE2-A59F1F817F42", "vulnerable": true}, {"criteria": "cpe:2.3:a:signalk:signal_k_server:2.24.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "D5464B6D-9FB4-4D67-B182-A312E3110AEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:signalk:signal_k_server:2.24.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "B521B34B-9F81-46E4-88BB-617A3D8A653E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}], "id": "CVE-2026-33950", "lastModified": "2026-04-06T15:04:42.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:22.993", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.24.0-beta.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "signalk-server", "source": "cna", "vendor": "SignalK"}, "product": "signalk-server", "vendor": "signalk"}], "analysis": {"en": {"generated_at": "2026-04-06T18:07:13.824577+00:00", "value": {"mitigation_remediation": ["Upgrade Signal K Server to version 2.24.0-beta.4 or newer"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Admin Role Injection"}, "threat_synthesis": {"affected_systems": "Signal K Server, produced by SignalK, is affected in all releases prior to 2.24.0-beta.4, including the beta1, beta2, and beta3 builds. The vulnerability is fixed in version 2.24.0-beta.4 and later.", "description_and_impact": "Signal K Server contains a flaw that permits an unauthenticated user to invoke the /enableSecurity endpoint and inject an administrative role. This bypasses all authentication checks and elevates the attacker to full Administrator level, allowing control over vessel routing data, server configuration, and access to sensitive endpoints, thereby compromising the integrity and availability of the vessel\u2019s systems.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.4, indicating a critical severity. However, the EPSS score is below 1%, suggesting a low current exploitation probability. It is not listed in CISA\u2019s KEV catalog. An attacker can exploit this remotely by sending an HTTP request to the /enableSecurity endpoint from any network segment that can reach the server, which poses a significant risk for vessels with exposed or unprotected network access."}}}}, "created": "2026-04-03T07:36:15.914733+00:00", "updated": "2026-04-07T07:56:06.844128+00:00", "vendors": ["signalk", "signalk$PRODUCT$signalk-server"]}