Skip to main content

Everon API CVE-2026-26288

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-06 ics-cert@hq.dhs.gov
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 14:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:37 NVD
9.4 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 16:16 nvd
CRITICAL 9.4

DescriptionCVE.org

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

AnalysisAI

Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.

Technical ContextAI

This vulnerability affects the Open Charge Point Protocol (OCPP) WebSocket implementation in Everon's backend API platform (api.everon.io). OCPP is the industry-standard communication protocol between EV charging stations and central management systems, typically operating over WebSocket transport for bidirectional real-time messaging. The flaw represents CWE-306 (Missing Authentication for Critical Function), where the OCPP WebSocket endpoint accepts connections without validating the identity of connecting charging stations. In properly secured OCPP deployments, charging stations authenticate via HTTP Basic Auth, client certificates, or token-based mechanisms during WebSocket handshake. The absence of these controls allows any network-accessible client to establish WebSocket connections and participate in OCPP message exchanges by simply knowing or guessing valid charging station identifiers, which may be predictable or discoverable through enumeration.

RemediationAI

Primary remediation requires implementing authentication mechanisms on all OCPP WebSocket endpoints per CISA ICS-CERT guidance at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08. Consult the advisory for vendor-provided patches or configuration changes. Until vendor patches are applied, implement compensating controls: restrict network access to OCPP WebSocket endpoints using firewall rules permitting only known charging station IP addresses (requires maintaining IP allowlist, breaks mobility for cellular-connected chargers); deploy mutual TLS (mTLS) authentication requiring client certificates for WebSocket handshake (adds certificate management overhead but provides strong cryptographic identity verification); implement application-layer authentication tokens in WebSocket subprotocol negotiation (requires custom development if not supported by Everon platform); monitor WebSocket connections for unauthorized station identifiers and anomalous OCPP command patterns using network IDS rules. Network segmentation alone is insufficient as it does not prevent impersonation by compromised stations within the trusted zone. Organizations should audit existing charging station identifiers for predictability and implement randomized identifier schemes to prevent enumeration attacks.

Share

CVE-2026-26288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy