{"api_version":"1","generated_at":"2026-04-23T09:41:27+00:00","cve":"CVE-2026-33950","urls":{"html":"https://cve.report/CVE-2026-33950","api":"https://cve.report/api/cve/CVE-2026-33950.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33950","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33950"},"summary":{"title":"signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity","description":"Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-02 17:16:22","updated_at":"2026-04-06 15:04:42"},"problem_types":["CWE-285","CWE-288","CWE-862","CWE-285 CWE-285: Improper Authorization","CWE-288 CWE-288: Authentication Bypass Using an Alternate Path or Channel","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.4","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.4","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.4,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4","name":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4","refsource":"security-advisories@github.com","tags":["Product","Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf","name":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf","refsource":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33950","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33950","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SignalK","product":"signalk-server","version":"affected < 2.24.0-beta.4","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"33950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"signalk","cpe5":"signal_k_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"signalk","cpe5":"signal_k_server","cpe6":"2.24.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"signalk","cpe5":"signal_k_server","cpe6":"2.24.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"signalk","cpe5":"signal_k_server","cpe6":"2.24.0","cpe7":"beta3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"33950","cve":"CVE-2026-33950","epss":"0.000480000","percentile":"0.147410000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-33950","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-03T18:00:30.341852Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-03T18:02:34.324Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"signalk-server","vendor":"SignalK","versions":[{"status":"affected","version":"< 2.24.0-beta.4"}]}],"descriptions":[{"lang":"en","value":"Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.4,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-285","description":"CWE-285: Improper Authorization","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-288","description":"CWE-288: Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T16:08:59.415Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf","tags":["x_refsource_CONFIRM"],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"},{"name":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4","tags":["x_refsource_MISC"],"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}],"source":{"advisory":"GHSA-x8hc-fqv3-7gwf","discovery":"UNKNOWN"},"title":"signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-33950","datePublished":"2026-04-02T16:08:59.415Z","dateReserved":"2026-03-24T19:50:52.105Z","dateUpdated":"2026-04-03T18:02:34.324Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-02 17:16:22","lastModifiedDate":"2026-04-06 15:04:42","problem_types":["CWE-285","CWE-288","CWE-862","CWE-285 CWE-285: Improper Authorization","CWE-288 CWE-288: Authentication Bypass Using an Alternate Path or Channel","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":5.5}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*","versionEndExcluding":"2.24.0","matchCriteriaId":"64F9BA25-5552-4477-84F9-83E71B2CA56F"},{"vulnerable":true,"criteria":"cpe:2.3:a:signalk:signal_k_server:2.24.0:beta1:*:*:*:*:*:*","matchCriteriaId":"2484CB8F-BFFE-4F61-ACE2-A59F1F817F42"},{"vulnerable":true,"criteria":"cpe:2.3:a:signalk:signal_k_server:2.24.0:beta2:*:*:*:*:*:*","matchCriteriaId":"D5464B6D-9FB4-4D67-B182-A312E3110AEF"},{"vulnerable":true,"criteria":"cpe:2.3:a:signalk:signal_k_server:2.24.0:beta3:*:*:*:*:*:*","matchCriteriaId":"B521B34B-9F81-46E4-88BB-617A3D8A653E"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33950","Ordinal":"1","Title":"signalk-server: Privilege Escalation by Admin Role Injection via","CVE":"CVE-2026-33950","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33950","Ordinal":"1","NoteData":"Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.","Type":"Description","Title":"signalk-server: Privilege Escalation by Admin Role Injection via"}]}}}