CVE-2026-34083: CWE-346: Origin Validation Error in SignalK signalk-server
SignalK Server versions prior to 2. 24. 0 contain a vulnerability in the OIDC login and logout handlers where the HTTP Host header is not validated. This allows an attacker to spoof the Host header to manipulate the OAuth2 redirect_uri, potentially stealing OAuth authorization codes and hijacking user sessions. The issue arises because the redirectUri configuration is unset by default, enabling injection of arbitrary domains. This vulnerability has been patched in version 2. 24. 0.
AI Analysis
Technical Summary
CVE-2026-34083 is an origin validation error (CWE-346) in SignalK Server's OIDC login and logout handlers. The server uses the unvalidated HTTP Host header to construct the OAuth2 redirect_uri parameter. Since the redirectUri configuration is unset by default, an attacker can spoof the Host header to cause the OIDC provider to send authorization codes to a domain controlled by the attacker. This can lead to theft of OAuth authorization codes and session hijacking. The vulnerability affects versions prior to 2.24.0 and has been fixed in 2.24.0.
Potential Impact
An attacker who can manipulate the HTTP Host header can steal OAuth authorization codes and hijack user sessions, leading to unauthorized access. The impact includes partial confidentiality and integrity loss (as indicated by CVSS: C:L/I:L) but no availability impact. This can compromise user authentication flows relying on OIDC in affected SignalK Server versions.
Mitigation Recommendations
Upgrade SignalK Server to version 2.24.0 or later, where this vulnerability has been patched. The fix involves proper validation of the HTTP Host header and setting the redirectUri configuration explicitly to prevent injection. No additional mitigations are indicated by the vendor advisory.
CVE-2026-34083: CWE-346: Origin Validation Error in SignalK signalk-server
Description
SignalK Server versions prior to 2. 24. 0 contain a vulnerability in the OIDC login and logout handlers where the HTTP Host header is not validated. This allows an attacker to spoof the Host header to manipulate the OAuth2 redirect_uri, potentially stealing OAuth authorization codes and hijacking user sessions. The issue arises because the redirectUri configuration is unset by default, enabling injection of arbitrary domains. This vulnerability has been patched in version 2. 24. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34083 is an origin validation error (CWE-346) in SignalK Server's OIDC login and logout handlers. The server uses the unvalidated HTTP Host header to construct the OAuth2 redirect_uri parameter. Since the redirectUri configuration is unset by default, an attacker can spoof the Host header to cause the OIDC provider to send authorization codes to a domain controlled by the attacker. This can lead to theft of OAuth authorization codes and session hijacking. The vulnerability affects versions prior to 2.24.0 and has been fixed in 2.24.0.
Potential Impact
An attacker who can manipulate the HTTP Host header can steal OAuth authorization codes and hijack user sessions, leading to unauthorized access. The impact includes partial confidentiality and integrity loss (as indicated by CVSS: C:L/I:L) but no availability impact. This can compromise user authentication flows relying on OIDC in affected SignalK Server versions.
Mitigation Recommendations
Upgrade SignalK Server to version 2.24.0 or later, where this vulnerability has been patched. The fix involves proper validation of the HTTP Host header and setting the redirectUri configuration explicitly to prevent injection. No additional mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.869Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce9803e6bfc5ba1dea5ad1
Added to database: 4/2/2026, 4:23:31 PM
Last enriched: 4/10/2026, 12:00:20 AM
Last updated: 5/20/2026, 8:50:01 PM
Views: 77
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.