Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) — CVE-2026-41893
GitHub · GitHub · CVE-2026-41893
ID
CVE-2026-41893
CVE-2026-41893
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.7
8.7
EPSS
0.00041
0.00041
Summary
## Summary The HTTP login endpoints (`POST /login` and `POST /signalk/v1/auth/login`) are protected by `express-rate-limit` (default: 100 attempts per 10-minute window, configurable via `HTTP_RATE_LIMITS`). The WebSocket login path — sending `{login: {username, password}}` messages over an established WebSocket connection — calls `app.securityStrategy.login()` directly without any rate limiting. An attacker can…
Product
npm: signalk-server
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.