Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
Published: 2026-05-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the WebSocket login endpoint of the Signal K Server. Unlike the HTTP login routes, it lacks any rate limiting, allowing an attacker to exhaust the authentication mechanism by sending repeated username and password pairs over a WebSocket connection. The compromised credentials can then be used to gain unauthorized access to the server’s management interfaces, potentially exposing sensitive vessel data and control commands. The weakness is identified as CWE‑307, which deals with insufficient authentication constraints enabling credential stuffing or brute‑force attacks.

Affected Systems

Signal K Server applications deployed on vessels with a version older than 2.25.0 are affected. The issue was present in all releases before the 2.25.0 release, which added express‑rate‑limit handling for the WebSocket login route.

Risk and Exploitability

The CVSS score of 8.7 reflects the high severity of brute‑force authentication on a critical marine navigation platform. The EPSS score is not available, but because the vulnerability is exploitable without privilege escalation and leverages password hashing at roughly 20 attempts per second, the likelihood of a successful attack is significant in an environment with weak or common credentials. The vulnerability is not included in the CISA KEV catalog, so no public exploitation reports are known. Attackers would typically open a WebSocket connection to the server’s designated port and continuously submit credential attempts, bypassing the 100‑attempt HTTP limit and achieving full enumeration.

Generated by OpenCVE AI on May 9, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Signal K Server installation to version 2.25.0 or later; the update re‑introduces rate limiting on the WebSocket login path and removes the unchecked access flaw.
  • If an immediate upgrade is not feasible, place a reverse‑proxy (e.g., Nginx or HAProxy) in front of the Signal K Server and configure WebSocket‑aware rate limiting on the /signalk/v1/auth/login WebSocket endpoint to restrict the number of allowed login attempts per client IP.
  • Continuously monitor authentication logs for repeated failed login attempts; apply temporary firewall or IP‑based blocking rules to mitigate ongoing brute‑force activity until an official patch is applied.

Generated by OpenCVE AI on May 9, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmfm-ch9h-5c7g Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
History

Sat, 09 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.
Title Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Signalk Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:12:10.082Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41893

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:27.273

Modified: 2026-05-09T20:16:27.273

Link: CVE-2026-41893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T20:30:41Z

Weaknesses