Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
OCPP WebSocket endpoint fails to verify user identity
CVE-2026-26288
Summary
An attacker can connect to your OCPP system without a password and pretend to be a legitimate charger. This allows them to control charging stations and manipulate data sent to your backend. You should implement proper authentication for OCPP WebSocket connections to prevent this from happening.
Original title
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can ...
Original description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
nvd CVSS3.1
9.4
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026