9.4
CVE-2026-33950
- EPSS 0.42%
- Veröffentlicht 02.04.2026 16:08:59
- Zuletzt bearbeitet 06.04.2026 15:04:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginsignalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Signalk ≫ Signal K Server Version < 2.24.0
Signalk ≫ Signal K Server Version2.24.0 Updatebeta1
Signalk ≫ Signal K Server Version2.24.0 Updatebeta2
Signalk ≫ Signal K Server Version2.24.0 Updatebeta3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.333 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.4 | 3.9 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf
https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4