CVE-2026-41893: CWE-307: Improper Restriction of Excessive Authentication Attempts in SignalK signalk-server
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
AI Analysis
Technical Summary
SignalK signalk-server versions before 2.25.0 implement rate limiting on HTTP login endpoints but do not apply similar restrictions to the WebSocket login mechanism. The WebSocket login messages directly invoke the login function without rate limiting, enabling attackers to bypass the HTTP rate limits and attempt brute-force password guessing at approximately 20 attempts per second (bcrypt with 10 salt rounds). This constitutes an improper restriction of excessive authentication attempts (CWE-307). The vulnerability is addressed in version 2.25.0.
Potential Impact
An attacker can bypass HTTP rate limiting by using the WebSocket login path to perform high-speed brute-force password guessing attempts. This increases the risk of unauthorized access if weak credentials are used. The CVSS 4.0 base score is 8.7 (high severity), reflecting network attack vector, no privileges or user interaction required, and high impact on confidentiality and integrity via authentication bypass.
Mitigation Recommendations
Upgrade signalk-server to version 2.25.0 or later, where this vulnerability has been patched by applying rate limiting to the WebSocket login path. Until upgraded, consider implementing external rate limiting or monitoring for abnormal WebSocket login activity. Patch status is confirmed by the vendor's versioning information.
CVE-2026-41893: CWE-307: Improper Restriction of Excessive Authentication Attempts in SignalK signalk-server
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
CVSS v4.0
Score 8.7high
Affected software
pkg:github/signalk/signalk-serverRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SignalK signalk-server versions before 2.25.0 implement rate limiting on HTTP login endpoints but do not apply similar restrictions to the WebSocket login mechanism. The WebSocket login messages directly invoke the login function without rate limiting, enabling attackers to bypass the HTTP rate limits and attempt brute-force password guessing at approximately 20 attempts per second (bcrypt with 10 salt rounds). This constitutes an improper restriction of excessive authentication attempts (CWE-307). The vulnerability is addressed in version 2.25.0.
Potential Impact
An attacker can bypass HTTP rate limiting by using the WebSocket login path to perform high-speed brute-force password guessing attempts. This increases the risk of unauthorized access if weak credentials are used. The CVSS 4.0 base score is 8.7 (high severity), reflecting network attack vector, no privileges or user interaction required, and high impact on confidentiality and integrity via authentication bypass.
Mitigation Recommendations
Upgrade signalk-server to version 2.25.0 or later, where this vulnerability has been patched by applying rate limiting to the WebSocket login path. Until upgraded, consider implementing external rate limiting or monitoring for abnormal WebSocket login activity. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.671Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ff8cbdcbff5d86106ac31e
Added to database: 05/09/2026, 19:36:29 UTC
Last enriched: 05/17/2026, 09:23:34 UTC
Last updated: 06/29/2026, 20:51:27 UTC
Views: 112
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.