CVE-2026-26288
Published: 06 March 2026
Summary
CVE-2026-26288 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Everon Api.Everon.Io. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-26288 is a vulnerability in WebSocket endpoints that lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. It affects OCPP WebSocket endpoints used by charging stations to communicate with backend systems. Published on 2026-03-06, the issue is rated with a CVSS score of 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-306 (Missing Authentication for Critical Function).
An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. This allows privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
CISA ICS Advisory ICSA-26-062-08 provides details on mitigation, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08, along with the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10035
Vulnerability details
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in unauthenticated WebSocket endpoints enables exploitation of public-facing application (T1190), exploitation of remote services (T1210), privilege escalation via impersonation (T1068, T1656).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires unique identification and authentication of charging station devices before allowing WebSocket connections, directly preventing unauthorized station impersonation.
Enforces approved authorizations for access to OCPP WebSocket endpoints and commands, addressing the lack of authentication mechanisms that enable data manipulation.
Authorizes and controls remote access to WebSocket endpoints used by charging stations, mandating authentication to block unauthenticated connections.