CVE-2026-33950
Signal · Signal K Server
An unauthenticated privilege escalation vulnerability via Admin Role Injection in Signal K Server allows attackers to gain full administrative access.
Executive summary
A critical privilege escalation vulnerability in Signal K Server prior to version 2.24.0-beta.4 allows unauthenticated attackers to hijack administrative control.
Vulnerability
The vulnerability allows an unauthenticated attacker to inject an administrative role via the /enableSecurity endpoint, resulting in full control over the server.
Business impact
The CVSS score of 9.4 highlights the severe impact of this vulnerability, which grants an attacker full administrative privileges. This could lead to the compromise of vessel routing data, modification of critical system configurations, and total server takeover, creating significant operational and safety risks.
Remediation
Immediate Action: Upgrade Signal K Server to version 2.24.0-beta.4 or higher to remediate the administrative role injection flaw.
Proactive Monitoring: Monitor server logs for suspicious access to the /enableSecurity endpoint and verify the list of authorized administrators for any unauthorized additions.
Compensating Controls: Restrict network access to the Signal K Server management interface to trusted IP addresses only, using a VPN or firewall to limit exposure to the public internet.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the potential for complete administrative compromise, users of Signal K Server must upgrade to the latest version immediately. Furthermore, administrators should conduct an audit of current user permissions and security configurations to ensure no unauthorized administrative accounts were created while the system was vulnerable.