Mobility46.Se
CVE-2026-26305
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AnalysisAI
Mobility46.Se's WebSocket API fails to implement authentication rate limiting, enabling remote attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force attacks to compromise accounts. The vulnerability requires no authentication or user interaction and affects all network-accessible instances. No patch is currently available.
Technical ContextAI
Classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). Affects Mobility46.Se. The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Mobility46.Se
View allMissing WebSocket authentication — sixth CVE in the industrial platform WebSocket family. Same pattern of unauthenticate
Mobility46.Se's WebSocket implementation allows multiple connections to share predictable session identifiers, enabling
Mobility46.Se charging stations expose authentication credentials through publicly accessible web-based mapping platform
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today