CVE-2026-33951 Overview
CVE-2026-33951 is a broken access control vulnerability in Signal K Server, an open-source server application used as a central data hub on boats for marine navigation and sensor data. Versions prior to 2.24.0-beta.1 expose an unauthenticated HTTP endpoint at PUT /signalk/v1/api/sourcePriorities that allows remote attackers to modify navigation data source priorities without authentication or authorization. The endpoint directly assigns user-controlled input to the server configuration and persists changes to disk. Attackers can influence which GPS, AIS, or other sensor data sources the system trusts.
Critical Impact
Remote unauthenticated attackers can manipulate trusted navigation data sources on Signal K Server, with changes persisting across restarts.
Affected Products
- Signal K Server versions prior to 2.24.0-beta.1
- Deployments exposing the Signal K HTTP API to untrusted networks
- Marine systems integrating GPS, AIS, and sensor feeds via Signal K
Discovery Timeline
- 2026-04-02 - CVE-2026-33951 published to NVD
- 2026-04-06 - Last updated in NVD database
Technical Details for CVE-2026-33951
Vulnerability Analysis
The vulnerability is classified under [CWE-284] Improper Access Control. Signal K Server exposes the PUT /signalk/v1/api/sourcePriorities HTTP endpoint without enforcing authentication or authorization. The endpoint accepts client-supplied JSON describing source priority mappings and writes those values into the server's runtime configuration. The configuration is persisted to disk, so attacker-controlled changes survive restarts.
Source priorities determine which inbound data feed the server trusts when multiple devices report overlapping data, such as conflicting GPS positions from different receivers. By reordering or substituting priorities, an attacker can cause the server to publish data from a less reliable or attacker-influenced source. Downstream chart plotters, autopilots, and AIS displays consuming Signal K data may then act on manipulated values.
Root Cause
The root cause is a missing access control check on a state-changing API route. The handler for sourcePriorities does not validate the requester's session, token, or role before applying the supplied configuration. User-controlled input is written directly to the server configuration store rather than mediated through an authenticated administrative interface.
Attack Vector
Exploitation requires only network reachability to the Signal K Server HTTP API. An attacker on the same local network, or any network where the API is exposed, can issue a single PUT request to /signalk/v1/api/sourcePriorities with a crafted JSON body. No credentials, user interaction, or prior compromise is needed. The vulnerability does not yield direct code execution or data exfiltration, but it does enable integrity attacks against navigation-critical data flows.
No public proof-of-concept exploit code has been published. Technical details are described in the GitHub Security Advisory GHSA-gfmv-vh34-h2x5.
Detection Methods for CVE-2026-33951
Indicators of Compromise
- HTTP PUT requests to /signalk/v1/api/sourcePriorities from unexpected source addresses
- Unexplained changes to the sourcePriorities section of the Signal K Server configuration file on disk
- Sudden shifts in which device identifiers are reported as the active source for GPS, AIS, or environmental data
- Discrepancies between Signal K-published values and raw NMEA 2000 or NMEA 0183 device readings
Detection Strategies
- Enable HTTP access logging on Signal K Server and alert on any PUT requests targeting /signalk/v1/api/sourcePriorities
- Monitor file integrity on the Signal K configuration directory to detect unauthorized writes to source priority settings
- Correlate Signal K source change events with authenticated administrative session activity to surface unauthenticated modifications
Monitoring Recommendations
- Capture Signal K Server logs in a centralized log platform and retain HTTP request metadata for forensic review
- Baseline normal source priority configurations and alert on deviations
- Place network sensors on the marine LAN segment to detect API traffic originating from non-administrative hosts
How to Mitigate CVE-2026-33951
Immediate Actions Required
- Upgrade Signal K Server to version 2.24.0-beta.1 or later, which patches the missing authorization check
- Restrict network exposure of the Signal K HTTP API to trusted management hosts using firewall or host-based rules
- Audit the current sourcePriorities configuration and restore known-good values if tampering is suspected
- Disable remote access to the Signal K Server from guest Wi-Fi or untrusted VLANs
Patch Information
The issue is fixed in Signal K Server 2.24.0-beta.1. Release notes and patched binaries are available at the GitHub Release v2.24.0-beta.1 page. Full advisory details are published in the GitHub Security Advisory GHSA-gfmv-vh34-h2x5.
Workarounds
- Place Signal K Server behind a reverse proxy that requires authentication for all /signalk/v1/api/ routes until the upgrade is applied
- Bind the Signal K Server listener to localhost or a dedicated management interface to remove unauthenticated network access
- Apply network segmentation so that only administrator workstations can reach the Signal K Server management port
# Example iptables rule restricting Signal K API access to a management host
iptables -A INPUT -p tcp --dport 3000 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

