Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Published: 2026-02-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Unauthorized Control of Charging Infrastructure
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to connect to the OCPP WebSocket endpoint without authentication and impersonate any charging station, issuing or receiving commands that the backend processes as legitimate. This can lead to integrity compromise of charging data, unauthorized control of charging infrastructure, and potential denial of service to legitimate users, and aligns with CWE-306.

Affected Systems

Mobility46’s mobility46.se platform, covering all documented versions, is affected; no specific version range was disclosed, so all deployments are considered at risk.

Risk and Exploitability

With a CVSS base score of 9.3 the risk is critical, while the EPSS is less than 1%, indicating a low current exploitation probability; the vulnerability is not yet in the KEV catalog. Attackers can exploit the exposed WebSocket endpoint by connecting with any network and using a known or guessable charging station identifier, requiring no special privileges or pre‑access – the exploit path is straightforward on an unauthenticated interface.

Generated by OpenCVE AI on April 15, 2026 at 23:52 UTC.

Remediation

Vendor Workaround

Mobility46 did not respond to CISA's request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

OpenCVE Recommended Actions

  • Contact Mobility46 through their official channels requesting a fixed release and advise them of the identified flaw.
  • Limit inbound traffic to the OCPP WebSocket endpoint to trusted IP addresses or internal networks to reduce exposure for unauthenticated attackers.
  • If the system supports client authentication or TLS mutual authentication, enable it to add an additional layer of validation before processing OCPP commands.
  • Enable logging and anomaly detection for OCPP commands and maintain an audit trail to detect unauthorized interactions.

Generated by OpenCVE AI on April 15, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mobility46:mobility46.se:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobility46
Mobility46 mobility46.se
Vendors & Products Mobility46
Mobility46 mobility46.se

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title Mobility46 mobility46.se Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Mobility46 Mobility46.se
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-08T15:04:09.928Z

Reserved: 2026-02-24T00:35:18.464Z

Link: CVE-2026-27028

cve-icon Vulnrichment

Updated: 2026-03-03T01:29:43.696Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:20.790

Modified: 2026-03-05T21:16:17.400

Link: CVE-2026-27028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses