Cyber Posture

CVE-2026-26051

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0018 38.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

more

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match
prevent

Requires unique identification and authentication of devices such as charging stations before establishing network connections like WebSockets, directly preventing unauthorized station impersonation.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for all access to WebSocket endpoints, blocking unauthenticated connections and data manipulation.

AC-17 Remote Access good match
preventdetect

Authorizes, configures, and monitors remote access methods including OCPP WebSocket endpoints to ensure only authenticated remote connections from legitimate stations are permitted.

Security SummaryAI

CVE-2026-26051, published on 2026-03-06, is a critical vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) stemming from WebSocket endpoints that lack proper authentication mechanisms (CWE-306). It affects OCPP WebSocket endpoints in charging infrastructure backends, where attackers can perform unauthorized station impersonation and manipulate data sent to the backend.

An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. This allows them to issue or receive OCPP commands as a legitimate charger, resulting in privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigation details are provided in related advisories, including CISA ICS Advisory ICSA-26-062-06 (available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json), and vendor support resources (https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat). Security practitioners should consult these for patching instructions and workarounds.

Details

CWE(s)
CWE-306

Affected Products

mvm
mobiliti e-mobi.hu
all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing OCPP WebSocket endpoints lacking authentication directly enables exploitation of public-facing application (T1190), privilege escalation (T1068), and station impersonation (T1656).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References