Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Charging Station Sessions Can Be Hijacked or Overwhelmed
CVE-2026-25711
Summary
The software used by charging stations allows multiple devices to share the same session ID, making it possible for a hacker to take control of a legitimate session or flood the system with fake requests. This can lead to unauthorized access or a denial-of-service attack. To fix this, the software should be updated to use unique and unpredictable session IDs for each charging station.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| chargemap | chargemap.com | All versions | – |
Original title
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in p...
Original description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
nvd CVSS3.1
7.5
nvd CVSS4.0
6.9
Vulnerability type
CWE-613
- https://chargemap.com/en-us/support Product
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05 Third Party Advisory US Government Resource
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026