Skip to main content

Eparking Fi EUVDEUVD-2026-13852

| CVE-2026-29796 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-20 icscert GHSA-3pgw-qmv2-hv8m
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 13, 2026 - 16:37 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:37 NVD
9.4 (CRITICAL) 9.3 (CRITICAL)
EUVD ID Assigned
Mar 20, 2026 - 23:16 euvd
EUVD-2026-13852
Analysis Generated
Mar 20, 2026 - 23:16 vuln.today
CVE Published
Mar 20, 2026 - 22:53 nvd
CRITICAL 9.4

DescriptionCVE.org

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

AnalysisAI

Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to OCPP WebSocket endpoint
Delivery
Impersonate charging station with known identifier
Exploit
Issue unauthorized OCPP commands
Execution
Manipulate charging infrastructure data
Impact
Exfiltrate sensitive information or corrupt backend state

Vulnerability AssessmentAI

Exploitation No special conditions — remote unauthenticated exploitation against default OCPP WebSocket endpoints lacking authentication. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents critical real-world risk with multiple concerning factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for exposed OCPP WebSocket endpoints on port 443 or 8080 and identifies an eparking.fi installation. Using publicly available charging station identifiers obtained from mobile apps or by enumerating sequential IDs, the attacker establishes a WebSocket connection claiming to be a legitimate charging station. …
Remediation Immediately implement WebSocket authentication mechanisms for all OCPP endpoints, requiring mutual TLS authentication or token-based authentication before processing any charging station commands. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems connected to eparking.fi infrastructure and isolate charging stations from direct internet exposure; notify all stakeholders and customers of the vulnerability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-13852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy