Platform
nodejs
Component
signalk-server
Fixed in
2.24.1
2.24.0-beta.4
CVE-2026-33950 describes a privilege escalation vulnerability within the SignalK server. This flaw allows attackers to create unauthorized administrator accounts, potentially gaining full control over the server. The vulnerability impacts versions of SignalK Server prior to 2.24.0-beta.4, and a fix has been released in that version.
The primary impact of CVE-2026-33950 is the ability for an attacker to create a new administrator account on the SignalK server without proper authentication. This grants them complete control over the server's configuration, data, and functionality. An attacker could modify data, disable security features, or even use the server as a launchpad for further attacks within the network. Given SignalK's use in marine and IoT applications, this could lead to compromised navigation data, control of connected devices, and potential safety risks. The persistent exposure of the /skServer/enableSecurity endpoint, even after initial setup, significantly increases the attack surface.
CVE-2026-33950 was publicly disclosed on 2026-04-03. The vulnerability's simplicity and the persistent exposure of the endpoint suggest a moderate probability of exploitation (medium EPSS score). No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it a likely target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33950 is to upgrade SignalK Server to version 2.24.0-beta.4 or later. If upgrading immediately is not possible, consider temporarily restricting access to the /skServer/enableSecurity endpoint using a firewall or access control list (ACL). While this does not fully address the underlying issue, it can reduce the immediate risk. Monitor server logs for any unauthorized attempts to access or utilize the /skServer/enableSecurity endpoint. After upgrading, confirm the endpoint is no longer accessible by attempting a request and verifying a 404 or similar error is returned.
Update Signal K Server to version 2.24.0-beta.4 or higher. This version fixes the privilege escalation vulnerability that allows unauthenticated attackers to gain administrator access. The update will prevent unauthorized modification of routing data and server configurations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33950 is a critical vulnerability in SignalK Server where the /skServer/enableSecurity endpoint remains open after initial admin setup, allowing unauthorized account creation.
You are affected if you are running SignalK Server versions prior to 2.24.0-beta.4. Check your version and upgrade immediately.
Upgrade SignalK Server to version 2.24.0-beta.4 or later. As a temporary workaround, restrict access to the /skServer/enableSecurity endpoint.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation.
Refer to the SignalK security documentation for the latest information and advisory regarding CVE-2026-33950.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.