CVE-2026-29796

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-29796
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

9.4 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json Not Applicable
https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 Not Applicable
Configurations

Configuration 1 (hide)

cpe:2.3:a:igl:eparking.fi:-:*:*:*:*:*:*:*
History

13 May 2026, 16:33

Type Values Removed Values Added
Summary
  • (es) Los puntos finales de WebSocket carecen de mecanismos de autenticación adecuados, lo que permite a los atacantes realizar suplantación de estación no autorizada y manipular datos enviados al backend. Un atacante no autenticado puede conectarse al punto final WebSocket de OCPP utilizando un identificador de estación de carga conocido o descubierto, luego emitir o recibir comandos OCPP como un cargador legítimo. Dado que no se requiere autenticación, esto puede llevar a una escalada de privilegios, control no autorizado de la infraestructura de carga y corrupción de los datos de la red de carga reportados al backend.
First Time Igl eparking.fi
Igl
CPE cpe:2.3:a:igl:eparking.fi:-:*:*:*:*:*:*:*
References () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json - () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json - Not Applicable
References () https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 - () https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 - Not Applicable

20 Mar 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 23:16

Updated : 2026-05-13 16:33

NVD link : CVE-2026-29796

Mitre link : CVE-2026-29796

CVE.ORG link : CVE-2026-29796

JSON object : View

Products Affected

igl

  • eparking.fi
CWE
CWE-306

Missing Authentication for Critical Function