Description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking
Action: Patch
AI Analysis

Impact

The vulnerability arises because the WebSocket backend uses predictable charging station identifiers as session keys without restricting multiple endpoints from using the same ID. This flaw allows an attacker to infer or guess a valid session identifier and establish a connection that shadows or replaces a legitimate station, enabling the attacker to receive backend commands intended for that station. In addition, the permissive reuse of session identifiers can be exploited to flood the backend with valid session requests, causing a denial‑of‑service. The impact includes unauthorized control of charging stations, potential financial loss, and service interruption, while the confidentiality and integrity of backend communications are compromised.

Affected Systems

All EV2GO installations that use the ev2go.io WebSocket backend are affected. No specific product versions are listed, so the risk applies broadly to any deployment of EV2GO that employs the session‑identification scheme described. Users with legacy deployments should verify whether the backend uses predictable session identifiers.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score is below 1 %, suggesting a low likelihood of widespread exploitation. The vulnerability is not present in the CISA KEV catalog. The attack requires remote network access to the WebSocket endpoint and the ability to guess or predict a valid session identifier; thus, it is inferred to be a remote, network‑level attack vector. Once a session identifier is obtained, the attacker can hijack or shadow an existing session, or overwhelm the backend by repeatedly requesting new sessions, leading to denial of service.

Generated by OpenCVE AI on April 17, 2026 at 14:10 UTC.

Remediation

Vendor Workaround

EV2GO did not respond to CISA's request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

OpenCVE Recommended Actions

  • Apply any EV2GO update that properly enforces unique session identifiers and session expiration.
  • If an update is not yet available, restrict WebSocket access to trusted hosts and require stations to authenticate with an additional token before establishing a session.
  • Configure the backend to reject any connection that attempts to reuse an existing session identifier, and increase the session timeout so that stale sessions are terminated automatically.
  • Monitor connection logs for duplicate session IDs or rapid connection attempts and consider blocking offending IP addresses.
  • Contact EV2GO via their contact page at https://ev2go.io/ for further guidance on mitigating session hijacking until an official fix is released.

Generated by OpenCVE AI on April 17, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ev2go:ev2go.io:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev2go
Ev2go ev2go.io
Vendors & Products Ev2go
Ev2go ev2go.io

Fri, 27 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title EV2GO ev2go.io Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Ev2go Ev2go.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:10:55.114Z

Reserved: 2026-02-23T23:41:36.739Z

Link: CVE-2026-20895

cve-icon Vulnrichment

Updated: 2026-03-02T20:37:42.916Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:56.350

Modified: 2026-03-05T21:16:14.407

Link: CVE-2026-20895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses