CVE-2026-26051
Published: 06 March 2026
Summary
CVE-2026-26051 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mvm Mobiliti E-Mobi.Hu. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires unique identification and authentication of devices such as charging stations before establishing network connections like WebSockets, directly preventing unauthorized station impersonation.
Enforces approved authorizations for all access to WebSocket endpoints, blocking unauthenticated connections and data manipulation.
Authorizes, configures, and monitors remote access methods including OCPP WebSocket endpoints to ensure only authenticated remote connections from legitimate stations are permitted.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing OCPP WebSocket endpoints lacking authentication directly enables exploitation of public-facing application (T1190), privilege escalation (T1068), and station impersonation (T1656).
NVD Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Deeper analysisAI
CVE-2026-26051, published on 2026-03-06, is a critical vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) stemming from WebSocket endpoints that lack proper authentication mechanisms (CWE-306). It affects OCPP WebSocket endpoints in charging infrastructure backends, where attackers can perform unauthorized station impersonation and manipulate data sent to the backend.
An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. This allows them to issue or receive OCPP commands as a legitimate charger, resulting in privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Mitigation details are provided in related advisories, including CISA ICS Advisory ICSA-26-062-06 (available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json), and vendor support resources (https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat). Security practitioners should consult these for patching instructions and workarounds.
Details
- CWE(s)