Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Severity:: Medium

Description

SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri.

Recommendation

Update the signalk-server package to the latest compatible version. Followings are version details:

Affected version(s): >= 2.20.0, < 2.24.0
Patched version(s): 2.24.0

References

GHSA-cxj8-ggf2-p57c
CVE-2026-34083
CWE-346
CWE-601
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Signal K Server: Arbitrary Prototype Read via `from` Field Bypass - CVE-2026-35038
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling - CVE-2025-68620
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity - CVE-2026-33950

Host Header Injection and Python Tests with SmartScanner 1.11

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:: npm; signalk-server

Anything's wrong? Let us know Last updated on April 03, 2026