CVE-2026-55591 is a medium-severity server-side request forgery (SSRF) vulnerability in signalk-server (npm), affecting versions <= 2.27.0. It is fixed in 2.28.0.
Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The makeRemoteRequest() function accepts attacker-controlled host, port, useTLS, and selfsignedcert parameters without any validation, allowing an attacker to force the server to make arbitrary HTTP/HTTPS requests to internal network resources, cloud metadata services, and other unintended destinations. When security is not configured (the default state), these endpoints require no authentication. Details Vulnerable Function The core vulnerability is in makeRemoteRequest() at src/serverroutes.ts:2483-2524: Missing Validation The function performs zero validation on the destination host. The following address ranges are all reachable: Loopback: 127.0.0.1, ::1, localhost RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Link-local / Cloud metadata: 169.254.169.254 (AWS EC2 instance metadata, GCP, Azure IMDS) IPv6 link-local: fe80::/10 Any arbitrary external host: enabling the server as an open proxy Authentication Bypass via Default Configuration The endpoints are protected by addAdminMiddleware() (lines 2339-2345): However, when security is not configured, the server uses dummysecurity.ts, where addAdminMiddleware is a no-op: This means on a default installation with no admin user created, all three endpoints are accessible without any authentication. Additional Attack Surface: TLS Verification Bypass The selfsignedcert parameter directly controls rejectUnauthorized: When an attacker sets selfsignedcert: true, the server will connect to any HTTPS endpoint without verifying the TLS certificate, enabling MITM attacks on the outbound connection. Additional Attack Surface: Path Traversal in checkAccessRequest The checkAccessRequest endpoint interpolates requestId directly into the URL path: An attacker can use path traversal (e.g., requestId: "../../other/endpoint") to target arbitrary paths on the destination host. PoC Target Setup Set up a bare-metal signalk-server for testing (or use Docker to simulate): Set the target variable: Confirm "authenticationRequired":false in the loginStatus response before proceeding. PoC 1: Loopback Connection (Self-Discovery) Response (confirms SSRF, the server connected to itself): PoC 2: Port Scanning via Error Differentiation The three distinct error responses allow an attacker to map internal network topology. PoC 3: AWS Instance Metadata Service (IMDSv1) On a cloud-hosted signalk-server (AWS EC2): The server connects to the EC2 metadata endpoint. The response will contain the discovery JSON parse result, leaking metadata. For deeper paths, use checkAccessRequest with path traversal in requestId: Impact Internal Network Scanning: An attacker can probe internal hosts and ports. The response distinguishes between open ports (HTTP response returned), closed ports (connection refused error), and filtered ports (timeout after 10 seconds). Cloud Metadata Exfiltration: On cloud-hosted instances (AWS EC2, GCP, Azure), an attacker can reach the instance metadata service at 169.254.169.254 to steal IAM credentials, instance identity tokens, and other sensitive metadata. Internal Service Data Exfiltration: The testSignalKConnection endpoint returns the full response body from the target, allowing reading of data from internal HTTP services not otherwise accessible from the internet. Server-Side POST Requests: The requestAccess endpoint sends a POST request with attacker-controlled JSON body (clientId, description), enabling interaction with internal APIs that accept POST requests. Lateral Movement: In containerized or Kubernetes environments, the server can be used to access cluster-internal services, the Kubernetes API, or other containers on the Docker network.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-55591 has a CVSS score of 5.8 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.28.0). Upgrading removes the vulnerable code path.
npm
signalk-server (<= 2.27.0)signalk-server → 2.28.0 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55591 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55591 is reachable in your applications. Get a demo
Upgrade signalk-server to 2.28.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55591 is a medium-severity server-side request forgery (SSRF) vulnerability in signalk-server (npm), affecting versions <= 2.27.0. It is fixed in 2.28.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2026-55591 has a CVSS score of 5.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
signalk-server (npm) versions <= 2.27.0 is affected.
Yes. CVE-2026-55591 is fixed in 2.28.0. Upgrade to this version or later.
Whether CVE-2026-55591 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade signalk-server to 2.28.0 or later.