Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or misrouting legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and potential credential compromise
Action: Apply Rate Limit
AI Analysis

Impact

The vulnerability exists in the WebSocket API of Chargemap’s application, which does not enforce any limit on the number of authentication attempts. Because users can send unlimited authentication requests, an attacker can flood the service with requests, causing denial of service or diverting telemetry from legitimate chargers. Additionally, the absence of rate limiting allows brute‑force attempts to obtain valid credentials and potentially gain unauthorized access.

Affected Systems

Chargemap’s Cargemap.com service. No specific version numbers are listed; the issue applies to the WebSocket endpoint used for charger telemetry and client authentication.

Risk and Exploitability

The CVSS score of 8.7 rates the vulnerability as high, while the EPSS score indicates a very low probability of exploitation in the near term. Because the attack can be carried out from any remote system that can reach the WebSocket endpoint, it is an external remote vulnerability. The lack of a CISA KEV listing suggests that no known active exploit is published; however, the potential to disrupt service or compromise credentials remains significant.

Generated by OpenCVE AI on April 16, 2026 at 15:53 UTC.

Remediation

Vendor Workaround

Chargemap did not respond to CISA's request for coordination. Contact Chargemap using their contact page here: https://chargemap.com/en-us/support for more information.

OpenCVE Recommended Actions

  • Implement authentication rate limiting on the WebSocket endpoint to restrict the number of authentication attempts per IP or per client within a given timeframe.
  • Add a short temporary lockout or exponential back‑off for repeated failed authentication attempts to reduce brute‑force effectiveness.
  • Contact Chargemap support via their contact page for an official patch or detailed guidance; attack mitigation can be coordinated with them.
  • Monitor authentication logs for abnormal spikes and investigate potential scanning or brute‑force activity.

Generated by OpenCVE AI on April 16, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chargemap:chargemap.com:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Chargemap
Chargemap chargemap.com
Vendors & Products Chargemap
Chargemap chargemap.com

Thu, 26 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or misrouting legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title Chargemap chargemap.com Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Chargemap Chargemap.com
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T19:42:31.634Z

Reserved: 2026-02-20T18:28:15.455Z

Link: CVE-2026-20792

cve-icon Vulnrichment

Updated: 2026-03-02T20:40:38.216Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:56.180

Modified: 2026-03-05T20:16:12.377

Link: CVE-2026-20792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses