Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Apache Kafka WebSocket API Fails to Limit Authentication Requests
CVE-2026-26305
Summary
Apache Kafka's WebSocket API doesn't limit how many times a user can try to authenticate. This makes it possible for an attacker to overload the system with fake requests, potentially blocking legitimate users or trying many passwords to break into the system. To protect against this, update Apache Kafka to the latest version or implement additional authentication checks.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mobility46 | mobility46.se | All versions | – |
Original title
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attac...
Original description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
nvd CVSS3.1
9.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-307
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 Third Party Advisory US Government Resource
- https://www.mobility46.se/en/contact-us Product
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026