CVE-2026-29796
Published: 20 March 2026
Summary
CVE-2026-29796 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized impersonation and command issuance.
Enforces approved access authorizations for the OCPP WebSocket endpoint, blocking unauthenticated attackers from manipulating data or escalating privileges.
Mandates authorization verification and safeguards for publicly accessible WebSocket interfaces, mitigating lack of authentication on OCPP endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network access to public-facing WebSocket endpoint enables exploitation of public-facing application (T1190); impersonation and unauthorized control constitute privilege escalation via exploitation (T1068).
NVD Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Deeper analysisAI
CVE-2026-29796 is a vulnerability in WebSocket endpoints that lack proper authentication mechanisms, classified under CWE-306 (Missing Authentication for Critical Function). It affects the OCPP WebSocket endpoint in charging infrastructure backends, where charging stations connect to send and receive commands. Published on 2026-03-20, the issue has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for confidentiality, integrity, and limited availability impacts.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no privileges. By connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, the attacker can impersonate a legitimate charger, issue or receive OCPP commands, and manipulate data sent to the backend. This leads to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Mitigation guidance is provided in CISA ICS Advisory ICSA-26-078-08, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08, along with the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json.
Details
- CWE(s)