Vulnerability Details CVE-2026-27028
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 29.3%
CVSS Severity
CVSS v3 Score 9.4
References
Products affected by CVE-2026-27028
-
cpe:2.3:a:mobility46:mobility46.se:*