Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Unauthorized access to OCPP WebSocket endpoint allows manipulation
CVE-2026-27767
Summary
An attacker can connect to an OCPP WebSocket endpoint without a password, allowing them to pretend to be a legitimate charging station and manipulate data. This could lead to unauthorized control of charging infrastructure and corruption of data sent to the company. To fix this, ensure that authentication is properly implemented for all OCPP WebSocket endpoints.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| swtchenergy | swtchenergy.com | All versions | – |
Original title
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker ca...
Original description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
- https://swtchenergy.com/contact/ Product
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06 Third Party Advisory US Government Resource
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026