Description
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized exposure of charging station authentication credentials
Action: Contact Vendor
AI Analysis

Impact

The vulnerability allows attackers to retrieve charging station authentication identifiers that are publicly exposed through web-based mapping platforms. This exposes credentials that could be used to gain unauthorized control over charging stations, potentially compromising the confidentiality and integrity of the IoT infrastructure. The flaw is an instance of Unprotected Credentials, CWE‑522.

Affected Systems

The affected product is CloudCharge cloudcharge.se. No specific product versions are listed as impacted.

Risk and Exploitability

The CVSS score is 6.9, indicating medium severity. The EPSS score is less than 1%, reflecting a low probability of exploitation at the current time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by sending standard web requests to the mapping service, which returns authentication identifiers without requiring authentication or other preconditions.

Generated by OpenCVE AI on April 16, 2026 at 06:00 UTC.

Remediation

Vendor Workaround

CloudCharge did not respond to CISA's request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

OpenCVE Recommended Actions

  • Reach out to CloudCharge support to obtain a fix or update that protects the credentials.
  • Limit access to the web‑based mapping service to trusted IP ranges or enforce authentication before displaying credentials.
  • Deploy monitoring for anomalous access to the mapping platform and regularly review logs for unauthorized credential disclosure.

Generated by OpenCVE AI on April 16, 2026 at 06:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudcharge:cloudcharge.se:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudcharge
Cloudcharge cloudcharge.se
Vendors & Products Cloudcharge
Cloudcharge cloudcharge.se

Fri, 27 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Title CloudCharge cloudcharge.se Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Cloudcharge Cloudcharge.se
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-31T14:18:24.613Z

Reserved: 2026-02-24T00:00:39.955Z

Link: CVE-2026-20733

cve-icon Vulnrichment

Updated: 2026-03-03T01:34:48.091Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:55.620

Modified: 2026-03-05T20:16:11.673

Link: CVE-2026-20733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses