Description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Session Hijacking and Potential DoS
Action: Assess Impact
AI Analysis

Impact

The WebSocket backend at Chargemap associates charging session identifiers to stations, but it accepts multiple connections sharing the same identifier. Because the identifiers are predictable, an attacker can hijack or shadow an active session, forcing the backend to send commands to a different station. This flaw enables an unauthorized user to impersonate another station, gaining control over its operations, or to flood the backend with session requests, causing a denial of service. The weakness is a classic session management flaw, identified as CWE‑613.

Affected Systems

The vulnerability affects the Chargemap charging station platform accessed via chargemap.com. No specific product version or version range is listed, so all deployments using the WebSocket backend presented in the current application are potentially vulnerable.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium severity risk. The EPSS shows a probability of fewer than 1 %, suggesting a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation appears to require reachability of the WebSocket endpoint and the ability to supply a chosen session identifier. Because the session IDs are predictable and the backend accepts concurrent connections with the same ID, an attacker can hijack an existing session or shadow the legitimate station without needing privileged credentials, making this flaw readily exploitable for non‑destructive attacks such as unauthorized control or DoS.

Generated by OpenCVE AI on April 16, 2026 at 15:53 UTC.

Remediation

Vendor Workaround

Chargemap did not respond to CISA's request for coordination. Contact Chargemap using their contact page here: https://chargemap.com/en-us/support for more information.

OpenCVE Recommended Actions

  • Contact Chargemap’s support team via their support page and request a fix that enforces unique, unguessable session identifiers and session expiration.
  • Restrict access to the WebSocket backend by limiting connections to known, trusted IP addresses or network segments, and require authentication before allowing a session to be established.
  • Implement monitoring of the WebSocket traffic for duplicate or rapidly changing session identifiers, and configure alerts for suspicious session shadowing activity.

Generated by OpenCVE AI on April 16, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chargemap:chargemap.com:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Chargemap
Chargemap chargemap.com
Vendors & Products Chargemap
Chargemap chargemap.com

Thu, 26 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title Chargemap chargemap.com Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Chargemap Chargemap.com
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:19:35.596Z

Reserved: 2026-02-20T18:28:15.465Z

Link: CVE-2026-25711

cve-icon Vulnrichment

Updated: 2026-03-02T20:40:11.554Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:57.200

Modified: 2026-03-05T21:16:16.000

Link: CVE-2026-25711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses