Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jb5w-972p-mkef
Vulnerability ID VCID-jb5w-972p-mkef
Aliases CVE-2026-34083
GHSA-cxj8-ggf2-p57c
Summary Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-346 Origin Validation Error
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-34083
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-34083
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-34083
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cxj8-ggf2-p57c
cvssv3.1 6.1 https://github.com/SignalK/signalk-server
generic_textual MODERATE https://github.com/SignalK/signalk-server
cvssv3.1 6.1 https://github.com/SignalK/signalk-server/releases/tag/v2.24.0
generic_textual MODERATE https://github.com/SignalK/signalk-server/releases/tag/v2.24.0
ssvc Track https://github.com/SignalK/signalk-server/releases/tag/v2.24.0
cvssv3.1 6.1 https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
cvssv3.1_qr MODERATE https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
generic_textual MODERATE https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
ssvc Track https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2026-34083
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34083
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34083
https://github.com/SignalK/signalk-server
https://nvd.nist.gov/vuln/detail/CVE-2026-34083
GHSA-cxj8-ggf2-p57c https://github.com/advisories/GHSA-cxj8-ggf2-p57c
GHSA-cxj8-ggf2-p57c https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
v2.24.0 https://github.com/SignalK/signalk-server/releases/tag/v2.24.0
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/SignalK/signalk-server
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:39:14Z/ Found at https://github.com/SignalK/signalk-server/releases/tag/v2.24.0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:39:14Z/ Found at https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34083
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.07792
EPSS Score 0.00026
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:47:25.180377+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/34xxx/CVE-2026-34083.json 38.6.0