Description
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure and Potential Unauthorized Management Access
Action: Assess Impact
AI Analysis

Impact

The vulnerability exposes charging station authentication identifiers that are publicly accessible through web‑based mapping platforms. This sensitive data exposure (CWE‑522) may allow an attacker to obtain credentials that could grant access to the charging station management interface, creating a confidentiality breach and a pathway to compromise integrity or availability of the charging infrastructure. While the official description does not explicitly state that these identifiers enable direct access to the management interface, it is inferred that they could be used for such purposes given the nature of the credentials involved.

Affected Systems

The affected product is the EV2GO online platform for electric vehicle charging stations (EV2GO:ev2go.io). No specific version information is provided, so any deployment that leaves authentication identifiers exposed in public mapping services is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate risk. The EPSS score is below 1%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying that no known active exploits are reported. Based on publicly available information, the likely attack vector is a network‑based data collection that requires only reconnaissance of publicly exposed credentials, with no authentication required to access the data.

Generated by OpenCVE AI on April 17, 2026 at 14:10 UTC.

Remediation

Vendor Workaround

EV2GO did not respond to CISA's request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

OpenCVE Recommended Actions

  • Verify whether EV2GO infrastructure is currently deployed and if charging station authentication identifiers are exposed through public mapping services.
  • Secure or encrypt authentication identifiers to prevent their public exposure; implement access controls or opt‑in configurations that restrict mapping visibility.
  • Contact EV2GO via their website for remediation guidance and to report the vulnerability, as the vendor has not released a formal patch or coordination response.

Generated by OpenCVE AI on April 17, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ev2go:ev2go.io:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev2go
Ev2go ev2go.io
Vendors & Products Ev2go
Ev2go ev2go.io

Fri, 27 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Title EV2GO ev2go.io Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ev2go Ev2go.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:13:55.698Z

Reserved: 2026-02-23T23:41:36.723Z

Link: CVE-2026-22890

cve-icon Vulnrichment

Updated: 2026-03-02T20:37:16.286Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:56.523

Modified: 2026-03-05T21:16:14.957

Link: CVE-2026-22890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials