Cloudcharge.Se
CVE-2026-20781
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
AnalysisAI
Missing WebSocket authentication in industrial/IoT device management allows unauthenticated attackers to perform station impersonation, data injection, and denial of service. One of several related CVEs affecting the same WebSocket endpoints.
Technical ContextAI
CWE-306 missing authentication for critical WebSocket endpoints. Attackers can connect without credentials and send commands that impersonate legitimate stations.
RemediationAI
Implement authentication on all WebSocket endpoints. Deploy network segmentation for OT systems. Monitor for unauthorized WebSocket connections.
More in Cloudcharge.Se
View allCloudcharge.Se's WebSocket API fails to implement authentication rate limiting, enabling attackers to launch denial-of-s
Session hijacking in Cloudcharge.Se's WebSocket backend allows remote attackers to impersonate legitimate charging stati
Cloudcharge.Se charging stations expose authentication credentials through publicly accessible web-based mapping platfor
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today