Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Published: 2026-02-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Infrastructure Control
Action: Immediate Patch
AI Analysis

Impact

WebSocket endpoints in the EV2GO platform omit authentication, allowing an attacker to connect to the OCPP WebSocket using a known charging station identifier and issue or receive commands as if acting as a legitimate charger. This misconfiguration permits remote privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Affected Systems

The affected system is EV2GO’s ev2go.io platform. No version information was disclosed, so all deployments may be impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, while the EPSS probability is below 1%, implying limited current exploitation activity. The vulnerability is not listed in CISA’s KEV catalog, so no known exploitation campaigns have been reported. The attack vector is network-based, requiring only remote access to the WebSocket endpoint and knowledge of a charging station ID.

Generated by OpenCVE AI on April 16, 2026 at 15:50 UTC.

Remediation

Vendor Workaround

EV2GO did not respond to CISA's request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

OpenCVE Recommended Actions

  • Contact EV2GO to obtain a patch that enforces authentication on the OCPP WebSocket endpoint.
  • If a patch is unavailable, restrict network access to the WebSocket endpoint to trusted internal networks or VPNs only.
  • Implement monitoring for abnormal OCPP command traffic and alert on unauthorized session initiation.

Generated by OpenCVE AI on April 16, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ev2go:ev2go.io:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev2go
Ev2go ev2go.io
Vendors & Products Ev2go
Ev2go ev2go.io

Fri, 27 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title EV2GO ev2go.io Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Ev2go Ev2go.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:16:11.799Z

Reserved: 2026-02-23T23:41:36.757Z

Link: CVE-2026-24731

cve-icon Vulnrichment

Updated: 2026-03-03T01:33:59.126Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:56.683

Modified: 2026-03-05T21:16:15.407

Link: CVE-2026-24731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses