CVE-2026-31903 - Vulnerability Details

- IGL-Technologies eParking.fi Improper Restriction of Excessive Authentication Attempts

Description

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

Published: 2026-03-20

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from missing rate limiting on authentication requests within the WebSocket Application Programming Interface of the eParking.fi OCPP servers. Without restrictions, an attacker could flood the interface with authentication attempts, halting legitimate charger telemetry or overwhelming the server, or could attempt brute‑force authentication to gain unauthorized access. This flaw corresponds to improper restriction of authentication attempts (CWE‑307).

Affected Systems

All IGL‑Technologies eParking.fi deployments that employ the standard unencrypted OCPP server interface or the proprietary eTolppa protocol are affected. Encrypted deployments of the eParking OCPP servers, or those using IGL‑Technologies’ proprietary eTolppa protocol, are explicitly stated as not impacted. No specific version numbers are provided in the advisory, but the CNA notes that a vendor update has been released to address the issue.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high‑impact vulnerability, and the EPSS score is not available, so the current probability of exploitation is uncertain. The advisory states that the exploit can be carried out through network traffic to the WebSocket endpoint, implying a remote, network‑based attack vector. Because the weakness allows both denial‑of‑service and potential credential compromise, the overall risk to operators and users is significant if the affected OCPP servers remain unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IGL-Technologies

eParking.fi

unaffected

Version	Status	Constraints
`All versions`	affected	—

No data.

Vendor Product Confidence Versions

Igl-technologies

Eparking.fi

100%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls: 1-Enforce modern security profiles and stronger authentication. 2-Device level whitelisting was implemented to ensure authorized devices connect. 3-Rate limiting controls prevent excessive requests and reduces denial-of-service attacks. 4-Enhanced automated monitoring and alerting to detection abnormal network activity.

OpenCVE Recommended Actions

Install the IGL‑Technologies eParking OCPP server patch that enforces modern authentication profiles and rate limiting.
Verify that the deployment uses the updated firmware and that device‑level whitelisting is active.
If only the encrypted deployment or proprietary eTolppa protocol is in use, confirm those devices are not affected.
Enable or review monitoring and alerting for abnormal authentication traffic on the WebSocket interface.
If an update cannot be applied immediately, restrict network access to the OCPP endpoint and monitor for high‑rate authentication attempts.
Contact IGL‑Technologies at security@igl.fi for further guidance.

Generated by OpenCVE AI on March 21, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

History

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Igl-technologies Igl-technologies eparking.fi
Vendors & Products		Igl-technologies Igl-technologies eparking.fi

Fri, 20 Mar 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title		IGL-Technologies eParking.fi Improper Restriction of Excessive Authentication Attempts
Weaknesses		CWE-307
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Igl-technologies Eparking.fi

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-03-20T22:56:27.047Z

Updated: 2026-03-23T15:56:29.649Z

Reserved: 2026-03-12T20:17:17.765Z

Link: CVE-2026-31903

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:43.813

Modified: 2026-03-23T16:16:46.560

Link: CVE-2026-31903

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:33:59Z

Weaknesses

CWE-307

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object