CVE-2026-27652

Medium CVSS: 6.9

The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.

Vendor

Cloudcharge

Product

Cloudcharge.se

CWE

CWE-613

Yayın Tarihi

2026-02-27 00:16:57

Güncelleme

2026-03-05 21:16:17

Source Identifier

ics-cert@hq.dhs.gov

KEV Date Added

Kategoriler

CWE-613 Cloudcharge.se MEDIUM Cloudcharge 2026

Referanslar

https://cloudcharge.tech/support/contact/ https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-03.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03

Benzer Kayıtlar

High

CVE-2026-25114

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absen…

Medium

CVE-2026-20733

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Critical

CVE-2026-20781

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersona…