CVE-2026-41893: CWE-307: Improper Restriction of Excessive Authentication Attempts in SignalK signalk-server
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
AI Analysis
Technical Summary
SignalK signalk-server versions before 2.25.0 implement rate limiting on HTTP login endpoints but do not apply any rate limiting on the WebSocket login mechanism. This allows an attacker to bypass the express-rate-limit protections by sending login attempts over an established WebSocket connection, enabling high-speed brute force password guessing limited only by bcrypt's computational cost (~20 attempts per second with 10 salt rounds). The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts) and has a CVSS 4.0 base score of 8.7, indicating high severity. The vulnerability was publicly disclosed on 2026-05-09 and fixed in version 2.25.0 of signalk-server.
Potential Impact
An attacker can perform unlimited authentication attempts over WebSocket connections, bypassing HTTP rate limiting controls. This increases the risk of successful brute force attacks against user credentials, potentially leading to unauthorized access to the signalk-server. The vulnerability affects confidentiality and integrity by enabling credential compromise. There are no known exploits in the wild as of the publication date.
Mitigation Recommendations
Upgrade signalk-server to version 2.25.0 or later, where this vulnerability has been patched by adding appropriate rate limiting to the WebSocket login path. Until the upgrade is applied, consider implementing external rate limiting or monitoring on WebSocket login attempts if feasible. Patch status is confirmed by the vendor's versioning; no other official remediation level is provided.
CVE-2026-41893: CWE-307: Improper Restriction of Excessive Authentication Attempts in SignalK signalk-server
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SignalK signalk-server versions before 2.25.0 implement rate limiting on HTTP login endpoints but do not apply any rate limiting on the WebSocket login mechanism. This allows an attacker to bypass the express-rate-limit protections by sending login attempts over an established WebSocket connection, enabling high-speed brute force password guessing limited only by bcrypt's computational cost (~20 attempts per second with 10 salt rounds). The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts) and has a CVSS 4.0 base score of 8.7, indicating high severity. The vulnerability was publicly disclosed on 2026-05-09 and fixed in version 2.25.0 of signalk-server.
Potential Impact
An attacker can perform unlimited authentication attempts over WebSocket connections, bypassing HTTP rate limiting controls. This increases the risk of successful brute force attacks against user credentials, potentially leading to unauthorized access to the signalk-server. The vulnerability affects confidentiality and integrity by enabling credential compromise. There are no known exploits in the wild as of the publication date.
Mitigation Recommendations
Upgrade signalk-server to version 2.25.0 or later, where this vulnerability has been patched by adding appropriate rate limiting to the WebSocket login path. Until the upgrade is applied, consider implementing external rate limiting or monitoring on WebSocket login attempts if feasible. Patch status is confirmed by the vendor's versioning; no other official remediation level is provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.671Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ff8cbdcbff5d86106ac31e
Added to database: 5/9/2026, 7:36:29 PM
Last enriched: 5/9/2026, 7:51:44 PM
Last updated: 5/10/2026, 5:47:42 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.