Description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Published: 2026-02-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking and denial of service via predictable session identifiers
Action: Monitor
AI Analysis

Impact

The WebSocket backend of EV Energy’s ev.energy platform uses charging station identifiers as session tokens, allowing multiple endpoints to connect using the same session ID. Because the identifiers are predictable, an attacker can hijack or shadow a legitimate charging station, receiving and potentially manipulating backend commands meant for that station. The flaw also permits flooding the backend with valid session requests, creating a denial‑of‑service condition.

Affected Systems

The vulnerability affects all deployments of the ev.energy WebSocket backend; no specific version information is supplied, and the product is identified as EV Energy ev.energy.

Risk and Exploitability

With a CVSS score of 6.9, the flaw is considered medium severity. The EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to establish a WebSocket connection to the backend, which is likely reachable remotely; thus the attack vector is inferred to be remote client access. An attacker who can authenticate as or masquerade the WebSocket client can hijack session states or overwhelm the service with session requests.

Generated by OpenCVE AI on April 16, 2026 at 05:59 UTC.

Remediation

Vendor Workaround

EV Energy did not respond to CISA's request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

OpenCVE Recommended Actions

  • Contact EV Energy through their support portal to request a patch or detailed remediation guidance.
  • If a patch is unavailable, restrict access to the WebSocket endpoint by firewall rules, allowing only trusted charging station IP addresses or networks.
  • Configure monitoring of WebSocket connection logs to detect duplicate or suspicious session identifiers and temporarily disable affected stations until a fix is applied.

Generated by OpenCVE AI on April 16, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ev.energy
Ev.energy ev.energy
CPEs cpe:2.3:a:ev.energy:ev.energy:*:*:*:*:*:*:*:*
Vendors & Products Ev.energy
Ev.energy ev.energy

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev Energy
Ev Energy ev.energy
Vendors & Products Ev Energy
Ev Energy ev.energy

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title EV Energy ev.energy Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Ev.energy Ev.energy
Ev Energy Ev.energy
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-31T14:20:41.450Z

Reserved: 2026-02-24T00:16:49.674Z

Link: CVE-2026-26290

cve-icon Vulnrichment

Updated: 2026-03-03T01:31:36.387Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:20.433

Modified: 2026-03-05T21:16:17.000

Link: CVE-2026-26290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses