Unauthenticated access to OCPP WebSocket endpoints

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.3

Unauthenticated access to OCPP WebSocket endpoints

CVE-2026-27772

Summary

OCPP WebSocket endpoints in charging stations can be accessed without a password, allowing attackers to pretend to be a legitimate station and control or manipulate data. This can lead to unauthorized control of charging infrastructure and corrupted data. To fix this, ensure that authentication is properly set up and enforced for all OCPP WebSocket endpoints.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
ev.energy	ev.energy	All versions	–

Original title

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker ca...

Original description

WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.

nvd CVSS3.1 9.8

nvd CVSS4.0 9.3

Vulnerability type

CWE-306 Missing Authentication for Critical Function

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07 Third Party Advisory US Government Resource
https://www.ev.energy/en-us Product

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026