What are the risks associated with these signalk-server vulnerabilities?

The vulnerabilities in signalk-server can lead to privilege escalation, unauthorized access to sensitive vessel data, manipulation of navigation data sources, and potential hijacking of user sessions. These risks can compromise the security and integrity of the vessel's navigation system.

How do I update signalk-server to the latest version?

You can update signalk-server to the latest version using the command `npm update signalk-server`. This will ensure that you have the patched version that addresses the identified vulnerabilities.

What versions of signalk-server are affected by these vulnerabilities?

The vulnerabilities affect signalk-server versions prior to 2.24.0 and 2.24.0-beta.1, 2.24.0-beta.4. It is crucial to update to version 2.24.0, 2.24.0-beta.1 or 2.24.0-beta.4 or later to mitigate these risks.

Multiple Vulnerabilities in signalk-server

Q: What is signalk-server?

Signalk-server is a server application designed for use on boats, acting as a central hub for managing and distributing navigation data from various sensors. It collects, processes, and shares data across different devices and applications on the vessel.

Multiple vulnerabilities have been discovered in signalk-server, a server application for boats, potentially leading to privilege escalation, data manipulation, and information disclosure. These vulnerabilities affect versions prior to 2.24.0. Users are advised to update to the latest version to mitigate these risks.

These vulnerabilities range from medium to critical, potentially allowing attackers to compromise the server.

What is Signalk Server?

Signalk Server is a server application designed to run on a central hub in a boat, managing and distributing navigation data. It handles information from various sensors like GPS, AIS, and other marine instruments. The server acts as a central point for collecting, processing, and sharing this data across different devices and applications on the vessel. Due to its central role in managing sensitive navigation data, vulnerabilities in Signalk Server can have significant consequences. These can range from unauthorized access to vessel data to complete compromise of the server's functionality. For more information, you can search all signalk-server CVEs. signalk-server is a component for nodejs.

CVE-2026-35038: Arbitrary Prototype Read via `from` Field Bypass

CVSS0.0

Affected versionsThis vulnerability affects signalk-server versions prior to 2.24.0.

No CVSS score provided.

No EPSS score provided.

The Signal K Server is vulnerable to an arbitrary prototype read via `from` field bypass. A low-privileged authenticated user can bypass prototype boundary filtering to extract internal functions and properties from the global prototype object.

How to fix CVE-2026-35038 in signalk-server

Patch within 7 days

1.Update signalk-server to version 2.24.0 or later.

Update signalk-server

npm update signalk-server

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-35038 if signalk-server appears in any of your monitored projects — no manual lookup required.

CVE-2026-33951: Unauthenticated Source Priorities Manipulation

CVSS0.0

Affected versionsThis vulnerability affects signalk-server versions prior to 2.24.0-beta.1.

No CVSS score provided.

No EPSS score provided.

The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This can influence which GPS, AIS, or other sensor data sources are trusted by the system.

How to fix CVE-2026-33951 in signalk-server

Patch within 24h

1.Update signalk-server to version 2.24.0-beta.1 or later.

Update signalk-server

npm update signalk-server

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-33951 if signalk-server appears in any of your monitored projects — no manual lookup required.

CVE-2026-34083: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

CVSS6.1

Affected versionsThis vulnerability affects signalk-server versions prior to 2.24.0.

Medium severity.

No EPSS score provided.

SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. An attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions.

How to fix CVE-2026-34083 in signalk-server

Patch within 24h

1.Update signalk-server to version 2.24.0 or later.

Update signalk-server

npm update signalk-server

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-34083 if signalk-server appears in any of your monitored projects — no manual lookup required.

CVE-2026-33950: Privilege Escalation by Admin Role Injection via /enableSecurity

CVSS9.4

Affected versionsThis vulnerability affects signalk-server versions prior to 2.24.0-beta.4.

Critical severity.

No EPSS score provided.

An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This is achieved via Admin Role Injection through the /enableSecurity endpoint.

How to fix CVE-2026-33950 in signalk-server

Patch immediately

1.Update signalk-server to version 2.24.0-beta.4 or later.

Update signalk-server

npm update signalk-server

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-33950 if signalk-server appears in any of your monitored projects — no manual lookup required.

Stay ahead of nodejs vulnerabilities

Proactively detect and remediate vulnerabilities in your nodejs projects. Use NextGuard to monitor your nodejs dependencies.

Compare Plans

Frequently asked questions

Multiple vulnerabilities were discovered in signalk-server. It is crucial to update to the latest version to mitigate these risks and ensure the security of your navigation system. You can see all nodejs vulnerabilities on our platform.