CVE-2026-41893
HIGHDescription
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
Is your site exposed to CVE-2026-41893?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| signalk | signal_k_server |
References
Advisories & Patches
Exploits
Other References
Frequently Asked Questions
What is CVE-2026-41893? +
How severe is CVE-2026-41893? +
What products are affected by CVE-2026-41893? +
How do I check if I'm vulnerable to CVE-2026-41893? +
Related Vulnerabilities
Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to …
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web …
Lack of Rate Limiting in Sign-up workflow in Perforce Gliffy prior to version 4.14.0-7 on Gliffy online allows attacker to …
Lack of protection against brute force attacks in Valmet DNA visualization in DNA Operate. The possibility to make an arbitrary …
This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts …
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key …