CVE-2026-20781

Critical

Published: 27 February 2026

Published

27 February 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0020 41.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

Requires identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized impersonation and command issuance.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to OCPP WebSocket endpoints and backend data manipulation, blocking unauthenticated station impersonation.

AC-14 Permitted Actions Without Identification or Authentication partial match

prevent

Explicitly identifies and limits critical actions like OCPP command execution that can be performed without identification or authentication to mitigate risks from missing mechanisms.

Security SummaryAI

CVE-2026-20781 is a vulnerability in OCPP WebSocket endpoints that lack proper authentication mechanisms, enabling unauthorized station impersonation and manipulation of data sent to the backend. Published on 2026-02-27, it affects charging station software communicating via OCPP protocols with backend systems. Classified under CWE-306 (Missing Authentication for Critical Function), the issue has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high confidentiality and integrity impacts with low availability impact.

An unauthenticated attacker with network access can exploit the vulnerability by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. Once connected, the attacker can issue or receive OCPP commands as a legitimate charger without authentication, resulting in privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Advisories including CISA ICSA-26-057-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03), the corresponding CSAF document (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-03.json), and vendor support (https://cloudcharge.tech/support/contact/) provide further details on mitigations for this vulnerability.

Details

CWE(s): CWE-306

Affected Products

cloudcharge

cloudcharge.se

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability in the OCPP WebSocket endpoint lacks authentication, allowing unauthenticated network attackers to exploit a public-facing application for station impersonation, data manipulation, and unauthorized control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cloudcharge.tech/support/contact/
Product · ics-cert@hq.dhs.gov
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-03.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov