CVE-2026-41893 Unknown Vendor CVE debrief

Who should care

Operators and maintainers of Signal K Server installations, especially any deployment exposing the login-capable WebSocket interface to untrusted networks.

Technical summary

The source description says POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit, with a default of 100 attempts per 10 minutes and configurable limits via HTTP_RATE_LIMITS. In contrast, the WebSocket login flow that sends {login: {username, password}} messages invokes app.securityStrategy.login() directly and does not apply rate limiting. That creates an authentication abuse path consistent with CWE-307 (excessive authentication attempts): an attacker can bypass the HTTP controls and continue password guessing over an established WebSocket connection. The patch is included in Signal K Server v2.25.0.

Defensive priority

High. This is an online authentication weakness that can materially increase password-guessing risk against exposed deployments.

Recommended defensive actions

• Upgrade Signal K Server to version 2.25.0 or later.
• Verify that WebSocket-based authentication follows the same rate-limiting and lockout policy as HTTP login endpoints.
• Review HTTP_RATE_LIMITS and confirm the configured limits match your deployment risk tolerance.
• Monitor authentication failures and repeated WebSocket login attempts for suspicious patterns.
• If immediate upgrading is not possible, reduce exposure of login-capable interfaces to trusted networks only.

Evidence notes

The debrief is based on the CVE description and the official GitHub references listed by NVD. The description explicitly states that HTTP login endpoints are rate-limited while the WebSocket login path is not, and that version 2.25.0 contains the fix. NVD also lists CWE-307 and references the commit, pull request, release tag, and GitHub Security Advisory for corroboration. Timing context uses the CVE published/modified timestamp of 2026-05-09T20:16:27.273Z.

Official resources