Platform
nodejs
Component
signalk-server
Fixed in
2.24.1
2.24.0
CVE-2026-34083 affects SignalK Server, a marine electronics data server. This vulnerability arises from the improper handling of the HTTP Host header within the OIDC (OpenID Connect) login and logout handlers. An attacker can exploit this flaw to construct a malicious OAuth2 redirect_uri, potentially leading to session hijacking and unauthorized access to user accounts. The vulnerability impacts versions of SignalK Server prior to 2.24.0, and a fix is available in that version.
The core of this vulnerability lies in SignalK Server's failure to properly validate the HTTP Host header when constructing the OAuth2 redirecturi during OIDC authentication. Because the redirectUri is not explicitly configured and defaults to being unset, an attacker can inject a malicious Host header. This allows them to control the domain to which the authorization code is sent after a user authenticates with the OIDC provider. Successful exploitation results in the attacker receiving the authorization code, which can then be used to impersonate the user and gain access to their SignalK data and potentially other connected systems. This is particularly concerning in environments where SignalK Server is integrated with other maritime systems or services, as a compromised account could provide a broader attack surface. The OIDC specification explicitly prohibits deriving the redirecturi from untrusted input, highlighting the severity of this misconfiguration.
CVE-2026-34083 was published on 2026-04-03. The vulnerability's severity is currently assessed as MEDIUM (CVSS 6.1). There are no known public exploits or active campaigns targeting this vulnerability at the time of publication. It is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34083 is to upgrade SignalK Server to version 2.24.0 or later, which includes the necessary validation to prevent Host header spoofing. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter incoming HTTP Host headers and block those that do not match the expected values. Specifically, configure the WAF to reject requests with Host headers that deviate from the legitimate SignalK Server domain. Additionally, carefully review and restrict access to the SignalK Server instance, limiting it to trusted networks and users. After upgrading, confirm the fix by attempting a login with OIDC and verifying that the redirect_uri is correctly constructed and does not reflect any manipulated Host header values.
Actualice Signal K Server a la versión 2.24.0 o superior. Esta versión corrige la vulnerabilidad de robo de códigos de autorización OAuth al validar correctamente el encabezado Host HTTP en el flujo OIDC.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in SignalK Server where attackers can hijack user sessions by manipulating the HTTP Host header during OIDC login, leading to unauthorized access.
If you are running SignalK Server versions prior to 2.24.0, you are potentially affected by this vulnerability. Assess your deployment immediately.
Upgrade SignalK Server to version 2.24.0 or later. If immediate upgrade isn't possible, implement WAF rules to filter Host headers.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but vigilance is still advised.
Refer to the official SignalK Server documentation and security advisories for detailed information and updates on this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.