CVE-2026-32663 — HIGH (7.3)

Vulnerability Description

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Igl	Eparking.Fi	-

Related Weaknesses (CWE)

CWE-613

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-07Not Applicable
https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08Not Applicable

FAQ

What is CVE-2026-32663?

CVE-2026-32663 is a vulnerability with a CVSS score of 7.3 (HIGH). The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic...

How severe is CVE-2026-32663?

CVE-2026-32663 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-32663?

Check the references section above for vendor advisories and patch information. Affected products include: Igl Eparking.Fi.