CVE-2026-41893
Received Received - Intake
WebSocket Authentication Bypass in Signal K Server

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path β€” sending {login: {username, password}} messages over an established WebSocket connection β€” calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41893
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
signalk signalk_server 2.24.0
signalk signalk_server to 2.25.0 (exc)
signalk signalk_server 2.25.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Signal K Server versions 2.24.0 and earlier involves the WebSocket login endpoint lacking rate limiting protections. While the HTTP login endpoints enforce rate limits (default 100 attempts per 10 minutes), the WebSocket login path allows attackers to bypass these limits entirely by sending unlimited login attempts over an established WebSocket connection.

This allows an attacker to perform rapid brute-force password guessing at about 20 attempts per second, limited only by bcrypt's processing speed. Multiple parallel WebSocket connections can multiply the attack speed, enabling large dictionary attacks in minutes.

The root cause is that the WebSocket login handler directly calls the login function without any throttling, unlike the HTTP login routes which use express-rate-limit middleware.

Impact Analysis

This vulnerability can allow attackers to perform unlimited brute-force login attempts on the Signal K Server via WebSocket connections, bypassing HTTP rate limits.

Such attacks can lead to unauthorized access if weak or common passwords are used, compromising the security of the server and potentially the boat's network where the server is deployed.

The high speed of attempts (around 20 per second per connection) means attackers can quickly try large password dictionaries, increasing the risk of credential compromise.

This can result in unauthorized control or data access on the boat's central hub, impacting operational security and safety.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high numbers of login attempts over WebSocket connections to the Signal K server, especially attempts that bypass the HTTP login rate limits.

Since the vulnerability involves unlimited password guesses sent via WebSocket messages containing login credentials, detection involves observing WebSocket traffic for repeated login messages from the same IP address at a high rate (approximately 20 attempts per second or more).

Suggested commands or approaches include:

  • Use network packet capture tools (e.g., tcpdump or Wireshark) to filter WebSocket traffic to the server and analyze for repeated login messages.
  • Example tcpdump command to capture WebSocket traffic on port 80 or 443 (adjust port as needed): tcpdump -i <interface> tcp port 80 or tcp port 443 -w capture.pcap
  • Analyze captured traffic for repeated JSON messages containing {login: {username, password}} over WebSocket frames.
  • Check server logs for high-frequency login attempts or authentication failures originating from the same IP address.
  • If available, enable or review rate limiting logs or alerts that indicate excessive login attempts.
Mitigation Strategies

The immediate mitigation step is to upgrade the Signal K server to version 2.25.0 or later, where the vulnerability has been patched.

Version 2.25.0 introduces a shared, per-IP rate limiter that enforces a combined login attempt budget across both HTTP and WebSocket login endpoints, preventing attackers from bypassing rate limits via WebSocket.

Additional mitigation steps include:

  • Apply the patch or update that implements the custom LoginRateLimiter module, which limits login attempts to 100 per 10 minutes per IP address, shared between HTTP and WebSocket.
  • Configure and verify that the server correctly extracts client IP addresses, including respecting the X-Forwarded-For header if behind a proxy, to ensure accurate rate limiting.
  • Monitor login attempts and consider additional network-level protections such as firewall rules to limit access to the Signal K server from untrusted networks.
  • If upgrading immediately is not possible, consider temporarily disabling or restricting WebSocket login access or implementing external rate limiting or intrusion detection systems.
Compliance Impact

The vulnerability in Signal K Server allows attackers to bypass HTTP rate limiting by using the WebSocket login endpoint to perform unlimited brute-force password guessing attacks. This can lead to unauthorized access to user accounts or sensitive data.

Such unauthorized access risks violating common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protection of personal data and secure authentication mechanisms to prevent unauthorized access.

By enabling rapid brute-force attacks without effective rate limiting, the vulnerability undermines the integrity and confidentiality of user authentication, potentially leading to data breaches and non-compliance with these regulations.

The fix implemented in version 2.25.0 introduces a unified per-IP rate limiter across both HTTP and WebSocket login endpoints, mitigating the risk and helping restore compliance with security best practices required by such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart