CVE-2026-33950CRITICAL 9.4EPSS p33.3%

CVE-2026-33950CVE-2026-33950

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.42% probability of exploitation · percentile 33.3% · 2026-06-19T12:03:05Z
Published2026-04-02
Last modified2026-04-06

Underlying weaknesses· 3

CWE-285CWE-288CWE-862

References

  1. https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4
  2. https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf

3

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live
WeaknessAuthentication Bypass Using an Alternate Path or Channelcwe-2880%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23515
CVE
CVE-2025-66398
CVE
CVE-2025-68620
CVE
CVE-2025-69203
CVE
CVE-2026-33105
CVE
CVE-2026-10693
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.