Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
OCPP WebSocket Endpoints Allow Unauthorized Access to Charging Stations
CVE-2026-22552
Summary
OCPP WebSocket endpoints do not require authentication, allowing attackers to pretend to be a legitimate charging station and manipulate data sent to the backend. This could lead to unauthorized control of charging infrastructure and corruption of data. To protect your charging network, ensure you have proper authentication mechanisms in place for OCPP WebSocket endpoints.
Original title
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can ...
Original description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
nvd CVSS3.1
9.4
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 6 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026