CVE-2026-26288

Critical

Published: 06 March 2026

Published

06 March 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0017 37.2th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

Requires unique identification and authentication of charging station devices before allowing WebSocket connections, directly preventing unauthorized station impersonation.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to OCPP WebSocket endpoints and commands, addressing the lack of authentication mechanisms that enable data manipulation.

AC-17 Remote Access good match

prevent

Authorizes and controls remote access to WebSocket endpoints used by charging stations, mandating authentication to block unauthenticated connections.

Security SummaryAI

CVE-2026-26288 is a vulnerability in WebSocket endpoints that lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. It affects OCPP WebSocket endpoints used by charging stations to communicate with backend systems. Published on 2026-03-06, the issue is rated with a CVSS score of 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-306 (Missing Authentication for Critical Function).

An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. This allows privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CISA ICS Advisory ICSA-26-062-08 provides details on mitigation, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08, along with the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json.

Details

CWE(s): CWE-306

Affected Products

everon

api.everon.io

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1684.001 Impersonation Stealth

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.

attack.mitre.org →

Why these techniques?

Vulnerability in unauthenticated WebSocket endpoints enables exploitation of public-facing application (T1190), exploitation of remote services (T1210), privilege escalation via impersonation (T1068, T1656).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json
Product · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08
US Government Resource · ics-cert@hq.dhs.gov