WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker ca...

Summary

WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, the...

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mobility46	mobility46.se	All versions	–

Original title

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker ca...

Original description

WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.

nvd CVSS3.1 9.8

nvd CVSS4.0 9.3

Vulnerability type

CWE-306 Missing Authentication for Critical Function

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 Third Party Advisory US Government Resource
https://www.mobility46.se/en/contact-us Product