Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking and denial of service
Action: Use Workaround
AI Analysis

Impact

The WebSocket backend of the Everon api.everon.io service links charging station identifiers to session IDs, but permits multiple connections with the same session identifier. Because the identifiers are predictable, an attacker can hijack or shadow a session, causing the newest connection to receive commands intended for the original station. This flaw also allows a malicious user to launch a denial‑of‑service attack by flooding the backend with valid session requests, as described in the advisory.

Affected Systems

The vulnerability applies to all current deployments of Everon’s WebSocket backend for charging stations. No specific product versions are listed, so the issue is considered broadly applicable within the api.everon.io platform.

Risk and Exploitability

The CVSS v3.1 score of 6.9 indicates medium severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The flaw is not currently listed in CISA’s KEV catalog. Based on the description, the likely attack vector is network access to the WebSocket endpoint and knowledge of charging station identifiers. An attacker would need to send crafted WebSocket frames that reuse a valid session identifier, which could be performed remotely over the internet when the endpoint is exposed. Because Everon shut down the platform on December 1 2025, the active attack surface has been largely removed, but legacy or mis‑configured instances could still be vulnerable.

Generated by OpenCVE AI on April 18, 2026 at 19:32 UTC.

Remediation

Vendor Workaround

Everon shut down their platform on December 1st, 2025.

OpenCVE Recommended Actions

  • Restrict access to the WebSocket endpoint by applying firewall rules that allow only trusted IP ranges or internal networks.
  • Implement monitoring for anomalous session activity and enforce rate limiting to mitigate flooding attempts.
  • As advised, the platform has been shut down on December 1 2025; ensure that no production traffic remains on the former API endpoint.

Generated by OpenCVE AI on April 18, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Everon
Everon api.everon.io
Vendors & Products Everon
Everon api.everon.io

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title Everon api.everon.io Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Everon Api.everon.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-10T17:59:09.054Z

Reserved: 2026-02-25T15:28:27.138Z

Link: CVE-2026-20748

cve-icon Vulnrichment

Updated: 2026-03-10T17:49:06.436Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T16:16:09.707

Modified: 2026-03-10T18:18:05.580

Link: CVE-2026-20748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses