CVE-2026-20895
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Analysis
Session hijacking in Ev2go.Io's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept commands due to predictable session identifiers and insufficient endpoint validation. An unauthenticated attacker can establish multiple connections with the same session ID to displace legitimate stations, potentially gaining unauthorized access to charging infrastructure or disrupting service availability. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and document all systems running the affected WebSocket backend version and restrict external access to WebSocket endpoints via network controls. Within 7 days: Implement session validation controls, enforce unique endpoint identifiers, and deploy monitoring for duplicate session connections. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today