WebSocket Authentication Vulnerability in Signal K Server
CVE-2026-41893

8.7HIGH

Key Information:

Vendor

Signalk

Status
Signalk-server
Vendor
CVE Published:
9 May 2026

What is CVE-2026-41893?

The Signal K Server, a central hub application for boats, had a security flaw in its authentication mechanism prior to version 2.25.0. While the HTTP login endpoints were protected by express-rate-limit, the WebSocket login path did not enforce similar rate limiting. This allowed attackers to open a WebSocket connection and execute an unlimited number of password guesses at a high rate, effectively bypassing the intended security measures. The issue has since been rectified in version 2.25.0, reinforcing the importance of maintaining up-to-date software to mitigate such vulnerabilities.

Affected Version(s)

signalk-server < 2.25.0

References

https://github.com/SignalK/signalk-server/security/adviso...
x_refsource_CONFIRM
https://github.com/SignalK/signalk-server/pull/2568
x_refsource_MISC
https://github.com/SignalK/signalk-server/commit/215d81eb...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.