Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
OCPP WebSocket Endpoints Allow Unauthorized Access to Charging Stations
CVE-2026-26051
Summary
Unsecured OCPP WebSocket endpoints allow hackers to pretend to be legitimate charging stations, manipulate data, and control infrastructure. This can lead to unauthorized access and data corruption, compromising the integrity of the charging network. Update your system to require authentication for all WebSocket connections.
Original title
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can ...
Original description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
nvd CVSS3.1
9.4
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026