CVE-2026-26288 — CRITICAL (9.4)

Vulnerability Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CVSS Score

9.4

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Everon	Api.Everon.Io	All versions

Related Weaknesses (CWE)

CWE-306

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-06Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08US Government Resource

FAQ

What is CVE-2026-26288?

CVE-2026-26288 is a vulnerability with a CVSS score of 9.4 (CRITICAL). WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can con...

How severe is CVE-2026-26288?

CVE-2026-26288 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-26288?

Check the references section above for vendor advisories and patch information. Affected products include: Everon Api.Everon.Io.