OIDC Login Vulnerability in Signal K Server by Signal K
CVE-2026-34083

6.1MEDIUM

Key Information:

Vendor: Signalk
Status: Signalk-server
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-34083?

Signal K Server, utilized as a central hub in boating applications, is susceptible to a code-level vulnerability within its OIDC login and logout processes. This flaw arises from the unvalidated HTTP Host header, which is leveraged to construct the OAuth2 redirect_uri. Due to the default configuration where redirectUri is unset, attackers can craft malicious HTTP requests to spoof the Host header. This manipulation allows them to capture OAuth authorization codes and potentially hijack user sessions, exposing users to significant security risks. The vulnerability has been resolved in version 2.24.0. For more details, see the official advisory at GitHub.

Affected Version(s)

signalk-server < 2.24.0

References

https://github.com/SignalK/signalk-server/security/adviso...

x_refsource_CONFIRM

https://github.com/SignalK/signalk-server/releases/tag/v2...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34083 Data

JSON

Signalk

What is CVE-2026-34083?

Affected Version(s)

References

CVSS V3.1

Timeline