Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking and Denial of Service
Action: Apply Workaround
AI Analysis

Impact

The WebSocket backend for Mobiliti e‑mobi.hu creates session identifiers based on charging station identifiers, but does not enforce uniqueness. As a result, multiple devices can connect with the same session ID, producing predictable identifiers that an attacker can exploit. The most recent connection displaces the legitimate station and receives any backend commands queued for that station. This allows an unauthorized user to impersonate another charging station or to send malicious commands. If the attacker repeatedly opens sessions, the backend can be saturated, producing a denial‑of‑service condition for legitimate users.

Affected Systems

The vulnerability affects the Mobiliti e‑mobi.hu WebSocket backend, which provides management for electric vehicle charging stations. No specific version information is available in the CVE report, so any deployment of this product may be impacted until a vendor fix is released.

Risk and Exploitability

With a CVSS score of 6.9, the issue is rated medium severity. The EPSS score is below 1 %, indicating a very low but non‑zero probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a remote attacker who can access the WebSocket endpoint; by sending a legitimate session request with a predictable session ID, the attacker can hijack the session and issue commands or overload the backend with requests.

Generated by OpenCVE AI on April 16, 2026 at 11:22 UTC.

Remediation

Vendor Workaround

Mobiliti did not respond to CISA's request for coordination. Contact Mobiliti using their contact page here: https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

OpenCVE Recommended Actions

  • Await and apply an official vendor patch or update for Mobiliti e‑mobi.hu as soon as it becomes available.
  • If no patch exists, implement a temporary workaround by contacting Mobiliti support to obtain guidance on blocking or limiting simultaneous connections that share a session ID.
  • Configure the backend or network firewall to enforce unique session identifiers, disallowing multiple connections using the same session ID and requiring authentication per endpoint.
  • Deploy monitoring to detect sudden increases in WebSocket connections or anomalous command traffic, which may indicate an ongoing hijacking or denial‑of‑service attempt.

Generated by OpenCVE AI on April 16, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobiliti
Mobiliti e-mobi.hu
Vendors & Products Mobiliti
Mobiliti e-mobi.hu

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title Mobiliti e-mobi.hu Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mobiliti E-mobi.hu
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-10T17:59:28.839Z

Reserved: 2026-02-24T00:30:38.937Z

Link: CVE-2026-27764

cve-icon Vulnrichment

Updated: 2026-03-10T17:47:26.757Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T16:16:11.267

Modified: 2026-03-10T18:18:45.420

Link: CVE-2026-27764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses