CVE-2026-27652 — HIGH (7.3)

Vulnerability Description

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Cloudcharge	Cloudcharge.Se	All versions

Related Weaknesses (CWE)

CWE-613

References

https://cloudcharge.tech/support/contact/Product
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2026-27652?

CVE-2026-27652 is a vulnerability with a CVSS score of 7.3 (HIGH). The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in pred...

How severe is CVE-2026-27652?

CVE-2026-27652 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27652?

Check the references section above for vendor advisories and patch information. Affected products include: Cloudcharge Cloudcharge.Se.