CVE-2026-55591: Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints

June 18, 2026

signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The makeRemoteRequest() function accepts attacker-controlled host, port, useTLS, and selfsignedcert parameters without any validation, allowing an attacker to force the server to make arbitrary HTTP/HTTPS requests to internal network resources, cloud metadata services, and other unintended destinations.

When security is not configured (the default state), these endpoints require no authentication.

References

github.com/SignalK/signalk-server/security/advisories/GHSA-q59x-jc9f-gfqf
github.com/advisories/GHSA-q59x-jc9f-gfqf
nvd.nist.gov/vuln/detail/CVE-2026-55591

Code Behaviors & Features

Detect and mitigate CVE-2026-55591 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →