Vulnerability Details CVE-2026-24731
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.0%
CVSS Severity
CVSS v3 Score 9.4
References