Cyber Resilience

CVE-2026-26051

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0087 54.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26051 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mvm Mobiliti E-Mobi.Hu. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-26051, published on 2026-03-06, is a critical vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) stemming from WebSocket endpoints that lack proper authentication mechanisms (CWE-306). It affects OCPP WebSocket endpoints in charging infrastructure backends, where attackers can perform unauthorized station impersonation and manipulate data sent to the backend.

An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. This allows them to issue or receive OCPP commands as a legitimate charger, resulting in privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigation details are provided in related advisories, including CISA ICS Advisory ICSA-26-062-06 (available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json), and vendor support resources (https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat). Security practitioners should consult these for patching instructions and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

more

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Vulnerability in public-facing OCPP WebSocket endpoints lacking authentication directly enables exploitation of public-facing application (T1190), privilege escalation (T1068), and station impersonation (T1656).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27764Same product: Mvm Mobiliti E-Mobi.Hu
CVE-2026-20882Same product: Mvm Mobiliti E-Mobi.Hu
CVE-2026-24731Shared CWE-306
CVE-2026-25851Shared CWE-306
CVE-2026-26288Shared CWE-306
CVE-2026-26055Shared CWE-306
CVE-2026-29796Shared CWE-306
CVE-2025-59246Shared CWE-306
CVE-2026-27028Shared CWE-306
CVE-2026-25848Shared CWE-306

Affected Assets

mvm
mobiliti e-mobi.hu
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires unique identification and authentication of devices such as charging stations before establishing network connections like WebSockets, directly preventing unauthorized station impersonation.

prevent

Enforces approved authorizations for all access to WebSocket endpoints, blocking unauthenticated connections and data manipulation.

preventdetect

Authorizes, configures, and monitors remote access methods including OCPP WebSocket endpoints to ensure only authenticated remote connections from legitimate stations are permitted.

References