SignalK Server is a marine navigation server application that runs on a central hub within boats, aggregating sensor data such as GPS and AIS to provide navigation information. Prior to version 2.24.0-beta.1, the server exposes an unauthenticated HTTP endpoint at PUT /signalk/v1/api/sourcePriorities, which allows remote attackers to modify the priority order of navigation data sources. This endpoint lacks any authentication or authorization checks, meaning any attacker with network access to the server can send crafted requests to alter which sensor data sources are trusted by the system. The server immediately applies these changes and persists them to disk, ensuring the manipulation survives server restarts. This improper access control vulnerability corresponds to CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function). The vulnerability is remotely exploitable over the network without any user interaction or privileges, increasing its risk. However, the impact is limited to the integrity of navigation data source prioritization, which could lead to incorrect navigation information being trusted by the system. The vulnerability has been assigned CVE-2026-33951 and carries a CVSS 4.0 score of 6.9, reflecting medium severity. The issue was publicly disclosed on April 2, 2026, and has been patched in version 2.24.0-beta.1 of the SignalK Server. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is on the integrity of navigation data used by the SignalK Server. By manipulating the priority of GPS, AIS, or other sensor data sources, an attacker can cause the system to trust potentially incorrect or malicious data. This could lead to erroneous navigation decisions, potentially endangering vessel safety. While confidentiality and availability are not directly affected, the integrity compromise can have serious operational consequences, especially in critical maritime environments. Organizations operating vessels with SignalK Server versions prior to 2.24.0-beta.1 are at risk of remote manipulation of navigation data priorities if the server is exposed to untrusted networks. This risk is heightened in scenarios where the server is accessible from external or less secure networks, such as public Wi-Fi or compromised onboard networks. The persistence of changes across restarts increases the attack's lasting impact. Although no exploits are known in the wild, the ease of exploitation (no authentication or user interaction required) and network accessibility make this a significant concern for maritime operators relying on SignalK Server for navigation data aggregation.

To mitigate this vulnerability, organizations should upgrade the SignalK Server to version 2.24.0-beta.1 or later, where the issue is patched. Until an upgrade is possible, restrict network access to the SignalK Server to trusted and isolated networks only, preventing exposure to untrusted external networks. Implement network-level controls such as firewalls or VPNs to limit access to the server's HTTP endpoints. Additionally, monitor server logs for unexpected PUT requests to /signalk/v1/api/sourcePriorities and investigate any suspicious activity. Consider deploying application-layer authentication and authorization mechanisms if possible, to prevent unauthorized modification of critical configuration endpoints. Regularly audit and verify navigation data source priorities to detect unauthorized changes. Finally, maintain an incident response plan for maritime navigation systems to quickly address any detected manipulation of sensor data configurations.