CVE-2026-26051
Published: 06 March 2026
Summary
CVE-2026-26051 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mvm Mobiliti E-Mobi.Hu. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-26051, published on 2026-03-06, is a critical vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) stemming from WebSocket endpoints that lack proper authentication mechanisms (CWE-306). It affects OCPP WebSocket endpoints in charging infrastructure backends, where attackers can perform unauthorized station impersonation and manipulate data sent to the backend.
An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. This allows them to issue or receive OCPP commands as a legitimate charger, resulting in privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Mitigation details are provided in related advisories, including CISA ICS Advisory ICSA-26-062-06 (available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json), and vendor support resources (https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat). Security practitioners should consult these for patching instructions and workarounds.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10034
Vulnerability details
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing OCPP WebSocket endpoints lacking authentication directly enables exploitation of public-facing application (T1190), privilege escalation (T1068), and station impersonation (T1656).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires unique identification and authentication of devices such as charging stations before establishing network connections like WebSockets, directly preventing unauthorized station impersonation.
Enforces approved authorizations for all access to WebSocket endpoints, blocking unauthenticated connections and data manipulation.
Authorizes, configures, and monitors remote access methods including OCPP WebSocket endpoints to ensure only authenticated remote connections from legitimate stations are permitted.