Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Published: 2026-02-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote brute‑force and denial‑of‑service via unrestricted authentication attempts
Action: Apply Controls
AI Analysis

Impact

This weakness is classified as CWE-307: Improper Restriction of Excessive Authentication Attempts. The vulnerability lies in the WebSocket API used by Mobility46’s system, which lacks a limit on the number of authentication requests a client may send. Without rate limiting this weakness allows an attacker to flood the service with authentication attempts, potentially overwhelming the application and causing denial of service, as well as to brute‑force credentials to gain unauthorized access. The result is a compromise of confidentiality, integrity, or availability of charger telemetry data and related operations.

Affected Systems

It affects the Mobility46:mobility46.se product, specifically its WebSocket authentication API. No version information is supplied, indicating that all current builds are potentially vulnerable.

Risk and Exploitability

The vulnerability is scored as high severity (CVSS 8.7) but has a very low exploitation probability (EPSS < 1%) and is not listed in the KEV catalog. The likely attack vector involves a remote attacker exploiting an open WebSocket endpoint from outside the network, repeatedly sending authentication messages to exhaust resources or guess credentials. The lack of commercial evidence of exploitation reduces the immediate risk, but the potential for a successful denial‑of‑service or unauthorized access event remains significant within affected environments.

Generated by OpenCVE AI on April 16, 2026 at 05:59 UTC.

Remediation

Vendor Workaround

Mobility46 did not respond to CISA's request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

OpenCVE Recommended Actions

  • Implement rate limiting or throttling on authentication requests for the WebSocket API to prevent abuse or brute‑force attempts
  • Configure a firewall or API gateway to monitor authentication traffic, detect patterns of repeated failed attempts, and enforce temporary blocks or account lockout
  • Apply multi‑factor authentication or stronger credential management if possible, reducing the risk of successful brute‑force attacks
  • Contact Mobility46 through their provided support channels to report the vulnerability and request a patch, following the CNA‑provided workaround

Generated by OpenCVE AI on April 16, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mobility46:mobility46.se:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobility46
Mobility46 mobility46.se
Vendors & Products Mobility46
Mobility46 mobility46.se

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title Mobility46 mobility46.se Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mobility46 Mobility46.se
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-08T15:04:47.837Z

Reserved: 2026-02-24T00:35:18.457Z

Link: CVE-2026-26305

cve-icon Vulnrichment

Updated: 2026-03-03T01:29:02.667Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:20.617

Modified: 2026-03-05T21:16:17.203

Link: CVE-2026-26305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses