SignalK signalk-server is a server application deployed on central hubs in boats to manage and distribute vessel data. Prior to version 2.24.0-beta.4, the server contains a critical security vulnerability identified as CVE-2026-33950, classified under CWE-285 (Improper Authorization), CWE-288 (Authentication Bypass), and CWE-862 (Missing Authorization). The flaw exists in the /enableSecurity endpoint, which lacks proper authorization controls, allowing an unauthenticated attacker to escalate privileges by injecting the Admin role. This unauthorized access grants the attacker full administrative privileges, enabling them to modify sensitive vessel routing information, alter server configurations, and access restricted API endpoints. The vulnerability can be exploited remotely over the network without any user interaction or prior authentication, making it highly dangerous. The CVSS v3.1 base score is 9.4, reflecting the critical impact on confidentiality and integrity, with a low attack complexity and no privileges required. The vulnerability was publicly disclosed and patched in version 2.24.0-beta.4. While no active exploits have been reported, the potential for severe operational disruption and data compromise on maritime vessels is significant.

The exploitation of this vulnerability can have severe consequences for maritime organizations relying on SignalK signalk-server. Attackers gaining administrator access can manipulate vessel routing data, potentially causing navigation errors or collisions. Altered server configurations could disable security features or enable persistent backdoors, compromising vessel safety and operational integrity. Unauthorized access to restricted endpoints may expose sensitive operational data or enable further lateral movement within the vessel's network. The disruption or manipulation of vessel data can lead to financial losses, safety hazards, regulatory non-compliance, and reputational damage. Given the critical nature of maritime navigation and communication systems, this vulnerability poses a high risk to the confidentiality, integrity, and availability of vessel operations worldwide.

Organizations should immediately upgrade all instances of signalk-server to version 2.24.0-beta.4 or later, where the vulnerability is patched. Until upgrades can be performed, restrict network access to the signalk-server, especially the /enableSecurity endpoint, by implementing network segmentation and firewall rules limiting access to trusted personnel and systems only. Employ intrusion detection systems to monitor for unusual access patterns targeting the server. Conduct thorough audits of server configurations and logs to detect any unauthorized changes or access attempts. Additionally, implement strong authentication and authorization controls at the network perimeter and within the vessel's IT infrastructure to reduce exposure. Regularly update and patch all maritime software components and maintain an incident response plan tailored to maritime cybersecurity incidents.