CVE-2026-41893 is a high-severity security vulnerability in signalk-server (npm), affecting versions <= 2.24.0. It is fixed in 2.25.0.
Summary The HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS). The WebSocket login path, sending {login: {username, password}} messages over an established WebSocket connection, calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). Details Vulnerable code: src/interfaces/ws.ts, function processLoginRequest (lines 753-780) The function directly calls app.securityStrategy.login(msg.login.username, msg.login.password) with no throttling or attempt tracking. Rate-limited HTTP path for comparison: src/tokensecurity.ts lines 609-617 apply loginLimiter middleware to the HTTP login routes at line 637. Steps to Reproduce Start Signal K server with security enabled Open a WebSocket connection to ws://server:3000/signalk/v1/stream?subscribe=none Wait for the hello message Send login attempts in rapid succession: json {"requestId": "1", "login": {"username": "admin", "password": "guess1"}} {"requestId": "2", "login": {"username": "admin", "password": "guess2"}} Observe that all attempts are processed without any 429 response or throttling For comparison, send 100+ HTTP POST requests to /signalk/v1/auth/login, the 101st returns 429 A POC script is available that demonstrates both the HTTP rate limiting working correctly and the WebSocket path accepting unlimited attempts. Impact Credential brute-forcing via the WebSocket protocol at ~20 attempts/sec (bcrypt-limited) Complete bypass of the HTTP rate limiting defense A single WebSocket connection is sufficient for unlimited attempts With multiple parallel connections, throughput multiplies A 10,000-word dictionary attack completes in ~8 minutes over a single connection Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN. CWE CWE-307: Improper Restriction of Excessive Authentication Attempts Suggested Fix Track failed login attempts per remote IP in a shared store (or reuse the existing express-rate-limit store) that is checked in both the HTTP login middleware and the processLoginRequest WebSocket handler. Context Found while building an open source maritime security scanner. Verified on v2.24.0 (current master). Discovered by Mark Curphey
npm
signalk-server (<= 2.24.0)signalk-server → 2.25.0 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-41893 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-41893 is reachable in your applications. Get a demo
Upgrade signalk-server to 2.25.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-41893 is a high-severity security vulnerability in signalk-server (npm), affecting versions <= 2.24.0. It is fixed in 2.25.0.
signalk-server (npm) versions <= 2.24.0 is affected.
Yes. CVE-2026-41893 is fixed in 2.25.0. Upgrade to this version or later.
Whether CVE-2026-41893 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade signalk-server to 2.25.0 or later.