Cyber Resilience

CVE-2026-33950

CriticalPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0042 33.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33950 is a critical-severity Improper Authorization (CWE-285) vulnerability in Signalk Signal K Server. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33950 is a privilege escalation vulnerability in Signal K Server, an application that runs on a central hub in boats to manage vessel data. Prior to version 2.24.0-beta.4, the flaw allows Admin Role Injection via the /enableSecurity endpoint, enabling attackers to bypass authentication and authorization controls. It is associated with CWE-285 (Improper Authorization), CWE-288 (Authentication Bypass Using an Alternate Path or Channel), and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), reflecting high confidentiality, integrity, and limited availability impact.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full Administrator access to the Signal K Server at any time, allowing the attacker to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints, potentially compromising navigation safety and operational integrity.

The issue has been addressed in Signal K Server version 2.24.0-beta.4. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf and the release notes at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access…

more

to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated privilege escalation in a public-facing web application (/enableSecurity endpoint) that bypasses auth/authz to grant full admin access, directly mapping to exploitation of public-facing apps for initial access and priv esc.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68620Same product: Signalk Signal K Server
CVE-2025-69203Same product: Signalk Signal K Server
CVE-2025-68619Same product: Signalk Signal K Server
CVE-2025-66398Same product: Signalk Signal K Server
CVE-2026-33951Same product: Signalk Signal K Server
CVE-2026-23515Same product: Signalk Signal K Server
CVE-2026-39320Same product: Signalk Signal K Server
CVE-2025-68272Same product: Signalk Signal K Server
CVE-2026-4818Shared CWE-285, CWE-862
CVE-2025-2110Shared CWE-862

Affected Assets

signalk
signal k server
2.24.0 · ≤ 2.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to block unauthenticated access to the /enableSecurity endpoint, directly preventing the privilege escalation via improper authorization.

prevent

Validates and sanitizes inputs to the /enableSecurity endpoint to block admin role injection attacks exploiting CWE-285 and CWE-862.

prevent

Enforces least privilege to restrict role assignments and administrative capabilities, mitigating unauthorized escalation to full admin access.

References