Platform
nodejs
Component
signalk-server
Fixed in
2.24.1
2.24.0-beta.1
CVE-2026-33951 affects the SignalK Server, a software component used for marine navigation data management. This vulnerability allows unauthenticated attackers to remotely modify the priority of navigation data sources, potentially leading to inaccurate or manipulated sensor readings. The vulnerability impacts versions of SignalK Server prior to 2.24.0-beta.1, and a fix is available in that version.
The core impact of CVE-2026-33951 lies in the ability of an attacker to influence the data that a vessel relies on for navigation. By manipulating the source priorities, an attacker could elevate the trust level of malicious or inaccurate data sources (e.g., spoofed GPS signals, compromised AIS transponders) while demoting legitimate ones. This could lead to incorrect course plotting, collision avoidance failures, and ultimately, dangerous navigational errors. The persistence of these changes to disk means that even a server restart won't undo the attacker's modifications, ensuring continued influence. The blast radius extends to any system relying on the compromised SignalK Server for navigation data, potentially impacting multiple vessels and individuals.
CVE-2026-33951 was published on 2026-04-03. Its CVSS score of 7.5 (HIGH) indicates a significant risk. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The EPSS score is pending evaluation. While no active campaigns have been reported, the unauthenticated nature of the vulnerability makes it a potential target for opportunistic attackers, particularly given the critical nature of navigation data.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33951 is to upgrade SignalK Server to version 2.24.0-beta.1 or later. Prior to upgrading, consider creating a backup of your existing SignalK configuration to facilitate a rollback if the upgrade introduces unforeseen compatibility issues. As a temporary workaround, consider implementing network-level restrictions to limit access to the /signalk/v1/api/sourcePriorities endpoint. This could involve using a Web Application Firewall (WAF) or proxy server to block unauthorized requests. Additionally, monitor your SignalK server logs for any unusual activity related to source priority changes. After upgrading, confirm the fix by verifying that unauthorized attempts to modify source priorities are rejected and that the system is using the expected data sources.
Update Signal K Server to version 2.24.0-beta.1 or higher. This version fixes the vulnerability that allows unauthenticated manipulation of data source priorities.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in SignalK Server allowing unauthenticated attackers to change the priority of navigation data sources, potentially leading to inaccurate readings.
If you are running SignalK Server versions prior to 2.24.0-beta.1, you are potentially affected by this vulnerability.
Upgrade SignalK Server to version 2.24.0-beta.1 or later. Back up your configuration before upgrading.
No active campaigns have been reported, but the unauthenticated nature makes it a potential target.
Refer to the official SignalK project website and security advisories for more details and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.