CVE-2026-26051 in e-mobi.hu
Summary
by MITRE • 03/06/2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2026
The vulnerability described in CVE-2026-26051 represents a critical security flaw in WebSocket endpoint implementations within charging station communication protocols. This weakness specifically affects the Open Charge Point Protocol (OCPP) infrastructure where WebSocket connections serve as the primary communication channel between charging stations and backend management systems. The absence of proper authentication mechanisms creates a fundamental breach in the security model that governs these critical infrastructure components. The vulnerability is particularly concerning because it allows attackers to exploit the trust relationship that exists between legitimate charging stations and the backend systems, effectively enabling them to assume the identity of authorized devices without proper authorization.
The technical flaw manifests through the lack of authentication validation at the WebSocket endpoint level, where charging station identifiers are accepted without verification of the connecting device's legitimacy. This creates a scenario where an attacker can establish a WebSocket connection using a valid charging station ID, then proceed to send and receive OCPP commands as if they were a legitimate device. The vulnerability stems from the assumption that the charging station identifier alone is sufficient to authenticate a connection, which violates fundamental security principles of multi-factor authentication and identity verification. According to CWE-306, this represents a missing authentication check that allows unauthorized access to protected resources, while the ATT&CK framework categorizes this under privilege escalation techniques through protocol manipulation and identity spoofing.
The operational impact of this vulnerability extends far beyond simple data manipulation, creating serious risks for charging network integrity and security. Attackers can perform unauthorized station impersonation, which allows them to control charging sessions, manipulate billing data, and potentially disrupt the entire charging infrastructure. The ability to corrupt charging network data reported to backend systems means that attackers can alter transaction records, manipulate energy consumption data, and create false billing information that could result in financial losses for operators and users. Furthermore, the unauthorized control of charging infrastructure could lead to service disruption, safety hazards, and potential physical damage to charging stations. This vulnerability directly impacts the integrity of the charging network and undermines the trust that users place in the system's security measures.
Mitigation strategies for this vulnerability must address the fundamental authentication gap in the WebSocket implementation. Organizations should implement robust authentication mechanisms that verify the identity of connecting devices through secure token exchange, certificate-based authentication, or other multi-factor verification processes before establishing WebSocket connections. The implementation of proper session management and connection validation should be enforced at the protocol level to ensure that only authenticated and authorized charging stations can communicate with backend systems. Network segmentation and monitoring solutions should be deployed to detect anomalous connection patterns and unauthorized access attempts. Additionally, regular security assessments and penetration testing should be conducted to identify and remediate similar authentication weaknesses in the charging infrastructure. The solution should align with industry standards such as NIST SP 800-53 for security controls and ISO/IEC 27001 for information security management, ensuring comprehensive protection against this class of vulnerability.