Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33951

CVE-2026-33951: Signal K Server Auth Bypass Vulnerability

CVE-2026-33951 is an authentication bypass flaw in Signal K Server allowing attackers to modify navigation data priorities without credentials. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-33951 Overview

CVE-2026-33951 is a broken access control vulnerability in Signal K Server, an open-source server application used as a central data hub on boats for marine navigation and sensor data. Versions prior to 2.24.0-beta.1 expose an unauthenticated HTTP endpoint at PUT /signalk/v1/api/sourcePriorities that allows remote attackers to modify navigation data source priorities without authentication or authorization. The endpoint directly assigns user-controlled input to the server configuration and persists changes to disk. Attackers can influence which GPS, AIS, or other sensor data sources the system trusts.

Critical Impact

Remote unauthenticated attackers can manipulate trusted navigation data sources on Signal K Server, with changes persisting across restarts.

Affected Products

  • Signal K Server versions prior to 2.24.0-beta.1
  • Deployments exposing the Signal K HTTP API to untrusted networks
  • Marine systems integrating GPS, AIS, and sensor feeds via Signal K

Discovery Timeline

  • 2026-04-02 - CVE-2026-33951 published to NVD
  • 2026-04-06 - Last updated in NVD database

Technical Details for CVE-2026-33951

Vulnerability Analysis

The vulnerability is classified under [CWE-284] Improper Access Control. Signal K Server exposes the PUT /signalk/v1/api/sourcePriorities HTTP endpoint without enforcing authentication or authorization. The endpoint accepts client-supplied JSON describing source priority mappings and writes those values into the server's runtime configuration. The configuration is persisted to disk, so attacker-controlled changes survive restarts.

Source priorities determine which inbound data feed the server trusts when multiple devices report overlapping data, such as conflicting GPS positions from different receivers. By reordering or substituting priorities, an attacker can cause the server to publish data from a less reliable or attacker-influenced source. Downstream chart plotters, autopilots, and AIS displays consuming Signal K data may then act on manipulated values.

Root Cause

The root cause is a missing access control check on a state-changing API route. The handler for sourcePriorities does not validate the requester's session, token, or role before applying the supplied configuration. User-controlled input is written directly to the server configuration store rather than mediated through an authenticated administrative interface.

Attack Vector

Exploitation requires only network reachability to the Signal K Server HTTP API. An attacker on the same local network, or any network where the API is exposed, can issue a single PUT request to /signalk/v1/api/sourcePriorities with a crafted JSON body. No credentials, user interaction, or prior compromise is needed. The vulnerability does not yield direct code execution or data exfiltration, but it does enable integrity attacks against navigation-critical data flows.

No public proof-of-concept exploit code has been published. Technical details are described in the GitHub Security Advisory GHSA-gfmv-vh34-h2x5.

Detection Methods for CVE-2026-33951

Indicators of Compromise

  • HTTP PUT requests to /signalk/v1/api/sourcePriorities from unexpected source addresses
  • Unexplained changes to the sourcePriorities section of the Signal K Server configuration file on disk
  • Sudden shifts in which device identifiers are reported as the active source for GPS, AIS, or environmental data
  • Discrepancies between Signal K-published values and raw NMEA 2000 or NMEA 0183 device readings

Detection Strategies

  • Enable HTTP access logging on Signal K Server and alert on any PUT requests targeting /signalk/v1/api/sourcePriorities
  • Monitor file integrity on the Signal K configuration directory to detect unauthorized writes to source priority settings
  • Correlate Signal K source change events with authenticated administrative session activity to surface unauthenticated modifications

Monitoring Recommendations

  • Capture Signal K Server logs in a centralized log platform and retain HTTP request metadata for forensic review
  • Baseline normal source priority configurations and alert on deviations
  • Place network sensors on the marine LAN segment to detect API traffic originating from non-administrative hosts

How to Mitigate CVE-2026-33951

Immediate Actions Required

  • Upgrade Signal K Server to version 2.24.0-beta.1 or later, which patches the missing authorization check
  • Restrict network exposure of the Signal K HTTP API to trusted management hosts using firewall or host-based rules
  • Audit the current sourcePriorities configuration and restore known-good values if tampering is suspected
  • Disable remote access to the Signal K Server from guest Wi-Fi or untrusted VLANs

Patch Information

The issue is fixed in Signal K Server 2.24.0-beta.1. Release notes and patched binaries are available at the GitHub Release v2.24.0-beta.1 page. Full advisory details are published in the GitHub Security Advisory GHSA-gfmv-vh34-h2x5.

Workarounds

  • Place Signal K Server behind a reverse proxy that requires authentication for all /signalk/v1/api/ routes until the upgrade is applied
  • Bind the Signal K Server listener to localhost or a dedicated management interface to remove unauthenticated network access
  • Apply network segmentation so that only administrator workstations can reach the Signal K Server management port
bash
# Example iptables rule restricting Signal K API access to a management host
iptables -A INPUT -p tcp --dport 3000 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.