CVE-2026-29796 in eParking.fi
Summary
by MITRE • 03/21/2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2026
This vulnerability represents a critical security flaw in WebSocket endpoint implementations within charging station communication systems, specifically affecting the Open Charge Point Protocol OCPP framework. The absence of proper authentication mechanisms creates a fundamental breach in the security model that governs how charging stations communicate with backend systems. The flaw allows attackers to establish connections to OCPP WebSocket endpoints without requiring valid credentials or authorization tokens, effectively bypassing the established security boundaries that should protect the charging infrastructure from unauthorized access.
The technical implementation of this vulnerability stems from the failure to validate client identities before accepting WebSocket connections for OCPP communication. When charging stations attempt to connect to the backend system through WebSocket endpoints, the system should verify the legitimacy of the connecting device using established authentication protocols. However, in this case, the system accepts connections based solely on the charging station identifier, which can be easily discovered or guessed by attackers. This design flaw enables what is known as identity spoofing or impersonation attacks, where malicious actors can masquerade as legitimate charging stations within the network.
The operational impact of this vulnerability extends far beyond simple unauthorized access, creating a comprehensive threat vector that can compromise the entire charging infrastructure ecosystem. An attacker who successfully exploits this vulnerability can perform privilege escalation by assuming the identity of legitimate charging stations, potentially gaining elevated privileges within the system. This impersonation capability allows for unauthorized control of charging operations, including the ability to modify charging parameters, initiate or terminate charging sessions, and manipulate billing data. The vulnerability particularly affects the integrity of charging network data, as attackers can corrupt information reported to backend systems, potentially leading to financial losses and operational disruptions.
From a cybersecurity perspective, this vulnerability aligns with several key weakness classifications including CWE-287, which addresses improper authentication, and CWE-306, which covers missing authentication. The attack surface is particularly concerning given the critical nature of charging infrastructure and the potential for significant financial and operational impact. The threat model for this vulnerability follows ATT&CK framework patterns under T1078, which covers valid accounts and T1046, which covers network service scanning, as attackers would need to discover valid charging station identifiers before exploiting this weakness. The vulnerability also represents a significant risk to the integrity of charging networks, as it allows attackers to manipulate data flows and potentially cause widespread disruption across connected charging infrastructure.
Mitigation strategies for this vulnerability must address the fundamental authentication failure at the WebSocket endpoint level. Organizations should implement robust authentication mechanisms that require valid credentials or certificates before establishing WebSocket connections for OCPP communications. This includes implementing mutual TLS authentication, requiring API keys or tokens, and establishing proper identity verification processes for all connecting charging stations. Additionally, network segmentation and monitoring should be implemented to detect unauthorized connection attempts and anomalous behavior patterns that may indicate exploitation attempts. Regular security assessments and penetration testing should be conducted to ensure that authentication mechanisms remain effective against evolving threat vectors. The implementation of logging and audit trails for all WebSocket connections and OCPP command executions will also provide crucial forensic capabilities for detecting and responding to potential exploitation attempts.