CVE-2026-33951 Overview
Signal K Server is a server application that runs on a central hub in a boat, providing a unified data protocol for marine electronics. Prior to version 2.24.0-beta.1, the Signal K Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This vulnerability enables unauthorized manipulation of critical navigation sensor configurations, potentially compromising maritime safety systems.
Critical Impact
Attackers can remotely manipulate which GPS, AIS, or other sensor data sources are trusted by the navigation system without authentication, with changes persisting across server restarts.
Affected Products
- Signal K Server versions prior to 2.24.0-beta.1
Discovery Timeline
- April 2, 2026 - CVE CVE-2026-33951 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33951
Vulnerability Analysis
This vulnerability represents an Improper Access Control flaw (CWE-284) in the Signal K Server application. The core issue lies in the lack of authentication and authorization checks on a sensitive configuration endpoint. When a PUT request is sent to /signalk/v1/api/sourcePriorities, the server directly accepts and applies user-controlled input to modify the priority order of navigation data sources without validating the requester's identity or permissions.
The implications for maritime environments are significant. Navigation systems rely on data from multiple sensors including GPS receivers, AIS transponders, depth sounders, and wind instruments. The source priority configuration determines which sensor data takes precedence when multiple sources provide conflicting information. By manipulating these priorities, an attacker could cause the navigation system to trust a malicious or unreliable data source over legitimate sensors.
Root Cause
The vulnerability stems from missing authentication and authorization controls on the /signalk/v1/api/sourcePriorities endpoint. The endpoint directly assigns user-controlled input to the server configuration without validating that the request originates from an authorized user. Furthermore, configuration changes are immediately persisted to disk, allowing malicious modifications to survive server restarts and maintain persistence.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication credentials. An attacker with network access to the Signal K Server can send crafted HTTP PUT requests to the vulnerable endpoint. The attack requires no user interaction and can be automated.
The attacker would craft a PUT request to /signalk/v1/api/sourcePriorities containing modified priority configurations. Once received, the server immediately applies and persists these changes, potentially causing the navigation system to prioritize attacker-controlled or unreliable data sources over legitimate sensors. This could result in incorrect navigation data being displayed or acted upon by automated systems.
Detection Methods for CVE-2026-33951
Indicators of Compromise
- Unexpected PUT requests to /signalk/v1/api/sourcePriorities endpoint in server access logs
- Unexplained changes to navigation data source priority configurations
- Configuration file modifications not correlating with authorized administrative actions
- Network traffic from untrusted sources targeting Signal K Server HTTP endpoints
Detection Strategies
- Monitor HTTP access logs for PUT requests to the /signalk/v1/api/sourcePriorities endpoint, especially from external or unauthorized IP addresses
- Implement file integrity monitoring on Signal K Server configuration files to detect unauthorized modifications
- Deploy network intrusion detection rules to identify unauthenticated requests to sensitive Signal K endpoints
- Establish baseline source priority configurations and alert on deviations
Monitoring Recommendations
- Enable verbose logging on Signal K Server to capture all configuration change events
- Configure network monitoring to alert on connections to the Signal K Server from unexpected IP ranges
- Implement periodic configuration audits comparing current source priorities against known-good baselines
- Deploy SentinelOne Singularity to monitor for unauthorized process activities and configuration changes on systems running Signal K Server
How to Mitigate CVE-2026-33951
Immediate Actions Required
- Upgrade Signal K Server to version 2.24.0-beta.1 or later immediately
- Restrict network access to the Signal K Server to trusted devices only using firewall rules
- Implement network segmentation to isolate marine navigation systems from untrusted networks
- Audit current source priority configurations to ensure they have not been tampered with
- Review server logs for any evidence of exploitation
Patch Information
The vulnerability has been addressed in Signal K Server version 2.24.0-beta.1. The patch introduces proper authentication and authorization checks for the source priorities endpoint. Users should upgrade to this version or later to remediate the vulnerability. For more information, see the GitHub Release v2.24.0-beta.1 and the GitHub Security Advisory GHSA-gfmv-vh34-h2x5.
Workarounds
- Place Signal K Server behind a reverse proxy with authentication enabled to restrict access to sensitive endpoints
- Configure firewall rules to block external access to the Signal K Server HTTP port
- Implement IP allowlisting to restrict access to only known, trusted devices
- If upgrading is not immediately possible, consider disabling remote network access to the Signal K Server until the patch can be applied
# Example firewall rules to restrict Signal K Server access (iptables)
# Allow only trusted local network (adjust IP range as needed)
iptables -A INPUT -p tcp --dport 3000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
