Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
- Severity:
- High
Description
According to SignalK’s security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.24.0-beta.4
- Patched version(s): 2.24.0-beta.4
References
- GHSA-x8hc-fqv3-7gwf
- CVE-2026-33950
- CWE-285
- CWE-288
- CWE-862
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Signal K Server: Arbitrary Prototype Read via `from` Field Bypass - CVE-2026-35038
- Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow - CVE-2026-34083
- Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
- Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration - CVE-2026-45716
You might also like:
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on April 03, 2026