Signal K: Sinking the Ship with a Leaky WebSocket
Jan 2, 2026·7 min read·5 visits
Executive Summary (TL;DR)
Signal K Server broadcasted sensitive 'access request' events—including request IDs—to unauthenticated WebSocket clients. Coupled with a polling endpoint that returned plaintext JWTs upon request approval, this allowed attackers to passively snoop on legitimate login attempts and steal the resulting session tokens, granting full administrative control over the vessel's data server.
A critical authentication bypass in Signal K Server allows unauthenticated attackers to hijack administrative sessions. By listening to the public WebSocket stream for access request IDs and polling an insecure REST endpoint, attackers can steal valid JWTs the moment an administrator approves a legitimate device.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Signal K Server Signal K | < 2.19.0 | 2.19.0 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (WebSocket & REST) |
| CVSS v3.1 | 9.1 (Critical) |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Exploit Status | PoC Available |
| Impact | Full Admin Compromise |
| Prerequisites | None (Unauthenticated) |
MITRE ATT&CK Mapping
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.