CVE-2026-41893

216.73.217.22

· Published 09/05/2026 20:16 · Modified 09/05/2026 20:16

Labels: CVE-2026-41893 2026-05-09 CVE-2026-41893 CWE-307 [email protected]

Essential information

Published: 09/05/2026 20:16
Modified: 09/05/2026 20:16
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
signal k / signal k server	`cpe:2.3:a:signal_k:signal_k_server:2.25.0:::::::*`
signal k / signal k server	`cpe:2.3:a:signal_k:signal_k_server::::::::`