CVE-2026-34083 Overview
CVE-2026-34083 is an Origin Validation Error vulnerability (CWE-346) in Signal K Server, a server application that runs on a central hub in boats. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments, as the OIDC provider will then send the authorization code to whatever domain was injected.
Critical Impact
An attacker can hijack user authentication sessions by manipulating the Host header during OIDC authentication flows, potentially gaining unauthorized access to vessel navigation and monitoring systems.
Affected Products
- Signal K Server versions prior to 2.24.0
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34083 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34083
Vulnerability Analysis
This vulnerability stems from improper validation of the HTTP Host header within Signal K Server's OIDC (OpenID Connect) authentication implementation. When a user initiates the login or logout flow, the server constructs the OAuth2 redirect_uri parameter using the value from the incoming HTTP Host header without proper validation. This is particularly dangerous because the redirectUri configuration option is silently unset by default in typical deployments.
The attack requires network access and user interaction—specifically, the victim must initiate an OIDC authentication flow while the attacker is capable of manipulating HTTP headers, either through a man-in-the-middle position or by tricking the user into clicking a malicious link. The changed scope indicates that a successful exploit affects resources beyond the vulnerable component itself, as the OIDC provider becomes an unwitting participant in the attack by redirecting authentication codes to an attacker-controlled domain.
Root Cause
The root cause is an Origin Validation Error (CWE-346) where the application fails to validate that the HTTP Host header originates from an expected, trusted source. The OIDC login and logout handlers blindly trust the Host header value when building the OAuth2 redirect URI. Combined with the default behavior of leaving redirectUri unconfigured, this creates a condition where external input directly controls a security-critical parameter in the authentication flow.
Attack Vector
The attack exploits the network-accessible OIDC authentication endpoints. An attacker crafts a malicious request or link that includes a spoofed Host header pointing to an attacker-controlled domain. When a victim user initiates authentication through this manipulated request, the Signal K Server constructs a redirect_uri pointing to the attacker's domain.
The OIDC identity provider, trusting the redirect_uri provided by the Signal K Server, sends the OAuth authorization code to the attacker's domain instead of the legitimate application. The attacker can then use this authorization code to complete the authentication flow and hijack the victim's session, gaining access to the boat's navigation and sensor data managed by Signal K Server.
The vulnerability requires user interaction (the victim must click a link or initiate login), but exploitation complexity is low once the attacker can deliver the malicious request. The impact includes confidentiality and integrity breaches at a low level, with no direct availability impact.
Detection Methods for CVE-2026-34083
Indicators of Compromise
- Unusual or unexpected Host header values in OIDC authentication request logs that do not match legitimate server domains
- OAuth authorization code requests redirecting to external or unknown domains
- Multiple authentication failures followed by successful logins from different IP addresses
- Evidence of session hijacking through simultaneous active sessions from geographically disparate locations
Detection Strategies
- Monitor HTTP request logs for OIDC endpoints (/login, /logout) with Host headers that do not match expected server hostnames
- Implement web application firewall (WAF) rules to detect and block requests with mismatched or suspicious Host headers
- Configure OIDC provider logging to track redirect URI patterns and alert on unexpected domains
- Review authentication logs for patterns consistent with authorization code interception
Monitoring Recommendations
- Enable detailed logging on Signal K Server OIDC authentication endpoints to capture Host header values
- Set up alerts for any OAuth redirect requests to domains not explicitly allowlisted in the OIDC provider configuration
- Monitor for unusual patterns in user session creation, particularly sessions initiated shortly after failed or anomalous authentication attempts
- Integrate Signal K Server logs with SIEM solutions for correlation with other network-based attack indicators
How to Mitigate CVE-2026-34083
Immediate Actions Required
- Upgrade Signal K Server to version 2.24.0 or later immediately
- Explicitly configure the redirectUri setting in the Signal K Server OIDC configuration to prevent Host header-based injection
- Review OIDC provider settings to ensure only expected redirect URIs are registered and enforced
- Audit authentication logs for any evidence of prior exploitation attempts
Patch Information
The vulnerability has been patched in Signal K Server version 2.24.0. Administrators should upgrade to this version or later to remediate the vulnerability. Detailed release information is available in the GitHub Release v2.24.0. Additional technical details about the vulnerability can be found in the GitHub Security Advisory GHSA-cxj8-ggf2-p57c.
Workarounds
- Explicitly set the redirectUri configuration value in Signal K Server settings to the legitimate server URL, preventing the Host header from being used
- Configure a reverse proxy in front of Signal K Server that enforces a fixed Host header, stripping or rejecting requests with unexpected values
- Restrict network access to OIDC authentication endpoints to trusted networks or VPN connections where Host header manipulation is more difficult
- Implement strict redirect URI validation at the OIDC provider level, rejecting authorization requests with unregistered redirect URIs
# Example: Configure explicit redirectUri in Signal K Server settings
# Edit your Signal K Server configuration file (typically settings.json)
# Add or modify the security/oidc section to include an explicit redirectUri:
{
"security": {
"oidc": {
"redirectUri": "https://your-signalk-server.example.com/callback"
}
}
}
# Restart Signal K Server after configuration changes
systemctl restart signalk-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
