CVE-2026-33951
Published: 02 April 2026
Summary
CVE-2026-33951 is a high-severity Improper Access Control (CWE-284) vulnerability in Signalk Signal K Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the unauthenticated endpoint, preventing remote attackers from modifying navigation data source priorities.
Restricts access to configuration changes such as source priorities to authorized users, blocking unauthorized PUT requests to the vulnerable endpoint.
Applies least privilege to limit configuration modification capabilities, ensuring only necessary access to server settings like data source priorities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated HTTP endpoint in public-facing Signal K Server directly enables remote exploitation of the application to modify configuration (T1190).
NVD Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint,…
more
accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.
Deeper analysisAI
CVE-2026-33951 is a vulnerability in Signal K Server, a server application that runs on central hubs in boats, affecting versions prior to 2.24.0-beta.1. The issue stems from an unauthenticated HTTP endpoint at PUT /signalk/v1/api/sourcePriorities, which lacks authentication or authorization checks and directly assigns user-controlled input to the server configuration. This allows remote attackers to modify navigation data source priorities, influencing which GPS, AIS, or other sensor data sources are trusted by the system. Changes take effect immediately and are persisted to disk, surviving server restarts. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is linked to CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function).
Remote attackers can exploit this vulnerability over the network without privileges, user interaction, or special conditions due to its low attack complexity. By issuing a PUT request to the exposed endpoint with malicious payload, an attacker can reprioritize data sources, causing the server to favor spoofed or unreliable inputs from GPS, AIS, or sensors over legitimate ones. This enables persistent manipulation of navigation data, potentially leading to incorrect positioning, collision risks, or disrupted vessel operations.
The vulnerability has been patched in Signal K Server version 2.24.0-beta.1. Additional details on the fix and upgrade instructions are available in the release notes at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1 and the GitHub security advisory at https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5.
Details
- CWE(s)