Api Everon Io
CVE-2026-20748
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
AnalysisAI
WebSocket session management in charging station backends allows multiple connections using identical session identifiers, enabling attackers to hijack legitimate sessions and intercept commands or impersonate authorized stations. Unauthenticated remote attackers can exploit this predictable identifier scheme to displace active connections, redirect backend communications, or launch denial-of-service attacks against the charging infrastructure. The vulnerability affects any deployment relying on this WebSocket backend without an available patch.
Technical ContextAI
Classified as CWE-613 (Insufficient Session Expiration). The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicio
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Api Everon Io
View allUnauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform v
Remote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow una
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today