CVE-2026-33950: CWE-285: Improper Authorization in SignalK signalk-server
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
AI Analysis
Technical Summary
SignalK server versions before 2.24.0-beta.4 contain an improper authorization vulnerability (CWE-285) that allows an unauthenticated attacker to escalate privileges to Administrator by exploiting the /enableSecurity endpoint. This flaw enables full administrative control over the server, impacting confidentiality and integrity of vessel routing data and server configurations. The issue is addressed in version 2.24.0-beta.4.
Potential Impact
Exploitation of this vulnerability results in an unauthenticated attacker gaining full Administrator privileges on the SignalK server. This compromises the confidentiality and integrity of sensitive vessel routing data and server configurations, potentially disrupting vessel operations. Availability impact is low but present due to possible configuration changes.
Mitigation Recommendations
A patch fixing this vulnerability is available in SignalK server version 2.24.0-beta.4. Users should upgrade to this version or later to remediate the issue. Since this is not a cloud service, remediation depends on applying the vendor's patch. Patch status is confirmed by the vendor advisory.
CVE-2026-33950: CWE-285: Improper Authorization in SignalK signalk-server
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SignalK server versions before 2.24.0-beta.4 contain an improper authorization vulnerability (CWE-285) that allows an unauthenticated attacker to escalate privileges to Administrator by exploiting the /enableSecurity endpoint. This flaw enables full administrative control over the server, impacting confidentiality and integrity of vessel routing data and server configurations. The issue is addressed in version 2.24.0-beta.4.
Potential Impact
Exploitation of this vulnerability results in an unauthenticated attacker gaining full Administrator privileges on the SignalK server. This compromises the confidentiality and integrity of sensitive vessel routing data and server configurations, potentially disrupting vessel operations. Availability impact is low but present due to possible configuration changes.
Mitigation Recommendations
A patch fixing this vulnerability is available in SignalK server version 2.24.0-beta.4. Users should upgrade to this version or later to remediate the issue. Since this is not a cloud service, remediation depends on applying the vendor's patch. Patch status is confirmed by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.105Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce9803e6bfc5ba1dea5ac9
Added to database: 4/2/2026, 4:23:31 PM
Last enriched: 4/9/2026, 10:43:13 PM
Last updated: 5/20/2026, 3:43:45 PM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.