Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Published: 2026-02-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized control of charging infrastructure and data corruption
Action: Mitigate
AI Analysis

Impact

WebSocket endpoints in CloudCharge’s cloudcharge.se platform lack authentication, allowing attackers to impersonate charging stations or consume data. This flaw enables an unauthenticated user to connect to the OCPP WebSocket, issue or receive commands as a legitimate charger, and consequently raise privileges or alter backend data. The result is direct compromise of charging infrastructure operations and integrity of the network’s reported information.

Affected Systems

The vulnerability affects the CloudCharge cloudcharge.se application, specifically its WebSocket interface used by charging stations. No specific version details are provided, but all deployments of the integrated OCPP endpoint are impacted.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical severity. The EPSS score is below 1%, suggesting that real-world exploitation is unlikely at present, though the CVE is not listed in CISA’s KEV catalog. Attackers can exploit the weakness by simply establishing a WebSocket connection with a known or discovered station identifier, a process that requires no credentials. Because authentication is absent, the attack vector is straightforward and does not require additional preconditions beyond network connectivity to the OCPP endpoint.

Generated by OpenCVE AI on April 17, 2026 at 14:12 UTC.

Remediation

Vendor Workaround

CloudCharge did not respond to CISA's request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

OpenCVE Recommended Actions

  • Contact CloudCharge support via their contact page for guidance on interim protection, as no public patch is available yet.
  • Restrict access to the OCPP WebSocket endpoint by implementing network segmentation or firewall rules to allow connections only from authorized charging stations
  • Configure monitoring to detect unauthorized OCPP command traffic and alert administrators

Generated by OpenCVE AI on April 17, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudcharge:cloudcharge.se:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudcharge
Cloudcharge cloudcharge.se
Vendors & Products Cloudcharge
Cloudcharge cloudcharge.se

Thu, 26 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title CloudCharge cloudcharge.se Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Cloudcharge Cloudcharge.se
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T19:40:05.284Z

Reserved: 2026-02-24T00:00:40.119Z

Link: CVE-2026-20781

cve-icon Vulnrichment

Updated: 2026-03-02T20:38:09.399Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:55.807

Modified: 2026-03-05T20:16:11.893

Link: CVE-2026-20781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses