{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-02T16:20:17.750Z", "dateUpdated": "2026-04-02T18:46:36.895Z"}, "containers": {"cna": {"title": "signalk-server: Arbitrary Prototype Read via `from` Field Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234"}, {"name": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 2.24.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:20:17.750Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0."}], "source": {"advisory": "GHSA-qh3j-mrg8-f234", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:46:22.506545Z", "id": "CVE-2026-35038", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:46:36.895Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0."}], "id": "CVE-2026-35038", "lastModified": "2026-04-02T17:16:27.163", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:27.163", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.24.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "signalk-server", "source": "cna", "vendor": "SignalK"}, "product": "signalk-server", "vendor": "signalk"}], "analysis": {"en": {"generated_at": "2026-04-02T22:58:47.663506+00:00", "value": {"mitigation_remediation": ["Upgrade SignalK signalk-server to version 2.24.0 or later.", "Verify that prototype boundary filtering is restored after the upgrade.", "Ensure that any custom configuration does not re\u2011enable the bypass."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerable product is SignalK signalk-server. All installations running any version earlier than 2.24.0 are affected. The CVE reference points to the release notes for v2.24.0, which contains the fix.", "description_and_impact": "SignalK signalk-server prior to version 2.24.0 includes an arbitrary prototype read vulnerability that can be triggered by a low\u2011privileged authenticated user when a `from` field value bypasses prototype boundary filtering. The attacker can read internal functions and properties from the global prototype object, violating data isolation and exposing data that should be protected. This information disclosure is classified as CWE\u2011200, whereas the underlying implementation flaw involves CWE\u2011125 and CWE\u201120.", "risk_and_exploitability": "The CVSS score of 2.1 indicates a low\u2011severity issue, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication to the server and a user who can specify a `from` field value, which is usually available to local users or remote users with authentication credentials. While the risk to confidentiality is limited to exposed internal properties, the presence of the flaw means that an attacker could read any data attached to prototype extensions that are not otherwise protected."}}}}, "created": "2026-04-03T07:36:12.098704+00:00", "updated": "2026-04-03T09:18:34.350307+00:00", "vendors": ["signalk", "signalk$PRODUCT$signalk-server"]}