CVE-2026-20791
Published: 27 February 2026
Summary
CVE-2026-20791 is a medium-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Chargemap Chargemap.Com. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-20791 is a vulnerability in which authentication identifiers for charging stations are publicly accessible via web-based mapping platforms. This issue, linked to CWE-522 (Insufficiently Protected Credentials), affects charging station systems and was published on 2026-02-27 with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low complexity, and impacts to confidentiality and integrity but not availability.
Any unauthenticated attacker with network access can exploit this vulnerability without user interaction. By accessing the publicly exposed authentication identifiers through mapping platforms, they can achieve low-level confidentiality breaches, such as viewing sensitive station data, and limited integrity impacts, potentially allowing unauthorized modifications to station configurations or operations.
CISA's ICS Advisory ICSA-26-057-05, detailed at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json, provides information on mitigations. The ChargeMap support page at https://chargemap.com/en-us/support offers related guidance for affected users.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8930
Vulnerability details
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public exposure of auth identifiers via web platforms directly enables T1190 (exploit public-facing app) and T1552 (unsecured credentials discovery/use).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits publication of sensitive authentication identifiers on public mapping platforms.
Enforces access control so that charging-station credentials cannot be retrieved by unauthenticated users.
Requires proper authenticator management to keep identifiers confidential rather than publicly exposed.