CVE-2026-33950
Published: 02 April 2026
Summary
CVE-2026-33950 is a critical-severity Improper Authorization (CWE-285) vulnerability in Signalk Signal K Server. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to block unauthenticated access to the /enableSecurity endpoint, directly preventing the privilege escalation via improper authorization.
Validates and sanitizes inputs to the /enableSecurity endpoint to block admin role injection attacks exploiting CWE-285 and CWE-862.
Enforces least privilege to restrict role assignments and administrative capabilities, mitigating unauthorized escalation to full admin access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated privilege escalation in a public-facing web application (/enableSecurity endpoint) that bypasses auth/authz to grant full admin access, directly mapping to exploitation of public-facing apps for initial access and priv esc.
NVD Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access…
more
to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Deeper analysisAI
CVE-2026-33950 is a privilege escalation vulnerability in Signal K Server, an application that runs on a central hub in boats to manage vessel data. Prior to version 2.24.0-beta.4, the flaw allows Admin Role Injection via the /enableSecurity endpoint, enabling attackers to bypass authentication and authorization controls. It is associated with CWE-285 (Improper Authorization), CWE-288 (Authentication Bypass Using an Alternate Path or Channel), and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), reflecting high confidentiality, integrity, and limited availability impact.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full Administrator access to the Signal K Server at any time, allowing the attacker to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints, potentially compromising navigation safety and operational integrity.
The issue has been addressed in Signal K Server version 2.24.0-beta.4. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf and the release notes at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4.
Details
- CWE(s)