Cyber Resilience

CVE-2026-26305

High

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26305 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Mobility46 Mobility46.Se. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-26305 is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests due to the absence of rate limiting. This issue, tied to CWE-307 (Improper Restriction of Excessive Authentication Attempts), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-02-27T01:16:20.617. It affects systems handling charger telemetry, as detailed in the associated CISA ICS advisory.

A remote attacker requires no privileges or user interaction and can exploit this over the network with low complexity. Successful exploitation enables denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or brute-force attacks to achieve unauthorized access.

CISA advisory ICSA-26-057-08 provides details on the vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 and the corresponding CSAF JSON at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json. Vendor contact information is at https://www.mobility46.se/en/contact-us.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

more

access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Lack of rate limiting on public-facing WebSocket auth API directly enables brute force credential attacks (T1110) and application-layer DoS via request flooding (T1499); exploitation occurs remotely against exposed service (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27028Same product: Mobility46 Mobility46.Se
CVE-2026-27647Same product: Mobility46 Mobility46.Se
CVE-2026-25945Shared CWE-307
CVE-2026-33667Shared CWE-307
CVE-2026-33640Shared CWE-307
CVE-2026-24445Shared CWE-307
CVE-2025-67853Shared CWE-307
CVE-2026-20792Shared CWE-307
CVE-2026-8760Shared CWE-307
CVE-2025-12995Shared CWE-307

Affected Assets

mobility46
mobility46.se
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive invalid authentication attempts, preventing brute-force attacks and DoS from excessive WebSocket authentication requests.

prevent

Provides denial-of-service protection mechanisms to limit the effects of excessive authentication requests that suppress or mis-route legitimate charger telemetry.

prevent

Ensures resource availability by prioritizing and managing allocations, mitigating resource exhaustion from floods of authentication requests.

References