Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Open ChargePoint Protocol (OCPP) WebSocket Unauthenticated Access
CVE-2026-20781
Summary
If not fixed, an attacker can connect to your charging system as a legitimate station without a password, allowing them to control charging infrastructure and alter data sent to the backend. This could lead to unauthorized access, data corruption, or even control of your charging stations. To fix this, ensure that your OCPP WebSocket endpoint requires proper authentication and authorization for all connections.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| cloudcharge | cloudcharge.se | All versions | – |
Original title
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker ca...
Original description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://cloudcharge.tech/support/contact/ Product
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03 Third Party Advisory US Government Resource
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026