Chargemap.Com
CVE-2026-25711
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
AnalysisAI
Chargemap.Com's WebSocket backend accepts multiple connections with identical session identifiers, allowing attackers to hijack charging station sessions and intercept backend commands through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate charging stations, execute unauthorized operations, or disrupt service availability by flooding the backend with crafted session requests. No patch is currently available.
Technical ContextAI
Classified as CWE-613 (Insufficient Session Expiration). Affects Chargemap.Com. The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Chargemap.Com
View allMissing WebSocket authentication vulnerability — same family as CVE-2026-20781 and CVE-2026-24731. Unauthenticated acces
Chargemap.Com's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks
Chargemap.Com exposes charging station authentication credentials through publicly accessible web-based mapping interfac
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today