Unauthenticated HTTP Endpoint in Signal K Server Allows Data Manipulation
CVE-2026-33951

6.9MEDIUM

Key Information:

Vendor: Signalk
Status: Signalk-server
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-33951?

Signal K Server, used in nautical applications, has a significant vulnerability where an unauthenticated HTTP endpoint permits attackers to alter navigation data source priorities. This flaw exists due to the absence of proper authentication and authorization checks on the PUT /signalk/v1/api/sourcePriorities endpoint. Malicious actors can inject user-controlled input, affect the trustworthiness of GPS, AIS, and other sensor data, and the modifications persist even after server restarts. This vulnerability is rectified in version 2.24.0-beta.1, highlighting the importance of keeping software up-to-date.

Affected Version(s)

signalk-server < 2.24.0-beta.1

References

https://github.com/SignalK/signalk-server/security/adviso...

x_refsource_CONFIRM

https://github.com/SignalK/signalk-server/releases/tag/v2...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33951 Data

JSON

Signalk

What is CVE-2026-33951?

Affected Version(s)

References

CVSS V4

Timeline