CVE-2026-29796

CVE-2026-29796 is a vulnerability in WebSocket endpoints that lack proper authentication mechanisms, classified under CWE-306 (Missing Authentication for Critical Function). It affects the OCPP WebSocket endpoint in charging infrastructure backends, where charging stations connect to send and receive commands. Published on 2026-03-20, the issue has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for confidentiality, integrity, and limited availability impacts.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no privileges. By connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, the attacker can impersonate a legitimate charger, issue or receive OCPP commands, and manipulate data sent to the backend. This leads to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigation guidance is provided in CISA ICS Advisory ICSA-26-078-08, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08, along with the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json.