Description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Published: 2026-02-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking and Denial of Service
Action: Assess Impact
AI Analysis

Impact

The vulnerability arises because the WebSocket backend uses charging station identifiers as session identifiers and permits multiple endpoints to connect with the same identifier. Because the session IDs are predictable and not bound to a single device, an attacker can hijack an active session or shadow an existing one, causing commands intended for a legitimate station to be executed by the attacker. This session hijacking leads to unauthorized authentication, allowing an attacker to act as another station, or to use the back‑end as a vector for denial of service by flooding the system with valid session requests.

Affected Systems

The affected product is Mobility46 mobility46.se. No specific affected version information is provided in the CVE entry, so all deployed instances of this product should be considered potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1 % suggests a very low probability of being exploited in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The likely attack vector involves an attacker establishing a WebSocket connection to the backend and supplying a predictable session identifier. Once connected, the attacker can hijack or shadow an existing session, which may enable unauthorized control of a charging station or induce a denial‑of‑service condition. Because the vendor did not publicly provide a patch or coordinate with CISA, the risk depends largely on the exposure of the WebSocket endpoint.

Generated by OpenCVE AI on April 15, 2026 at 23:51 UTC.

Remediation

Vendor Workaround

Mobility46 did not respond to CISA's request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

OpenCVE Recommended Actions

  • Contact Mobility46 through their official contact page to request an update or remediation guidance.
  • Enforce unique, random session identifiers for each connection and reject duplicate or overlapping session IDs to mitigate insufficient session control.
  • Restrict access to the WebSocket backend by firewall or network segmentation so that only trusted IPs or networks can connect.
  • Monitor system logs for signs of session hijacking or excessive connection attempts and alert on anomalies.

Generated by OpenCVE AI on April 15, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mobility46:mobility46.se:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobility46
Mobility46 mobility46.se
Vendors & Products Mobility46
Mobility46 mobility46.se

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title Mobility46 mobility46.se Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Mobility46 Mobility46.se
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-08T15:05:12.471Z

Reserved: 2026-02-24T00:35:18.446Z

Link: CVE-2026-27647

cve-icon Vulnrichment

Updated: 2026-03-03T01:28:24.673Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:20.967

Modified: 2026-03-05T21:16:17.593

Link: CVE-2026-27647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses