CVE-2026-31904

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06	US Government Resource Third Party Advisory
https://www.ctek.com/support	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:ctek:charge_portal:-:*:*:*:*:*:*:*

History

06 May 2026, 15:06

Type	Values Removed	Values Added
References	~~() https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json -~~	() https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json - Product
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06 - US Government Resource, Third Party Advisory
References	~~() https://www.ctek.com/support -~~	() https://www.ctek.com/support - Product
CPE		cpe:2.3:a:ctek:charge_portal:-:::::::*
First Time		Ctek Ctek charge Portal
Summary		(es) La Interfaz de Programación de Aplicaciones WebSocket carece de restricciones sobre el número de solicitudes de autenticación. Esta ausencia de limitación de velocidad puede permitir a un atacante llevar a cabo ataques de denegación de servicio suprimiendo o redirigiendo erróneamente la telemetría legítima del cargador, o llevar a cabo ataques de fuerza bruta para obtener acceso no autorizado.

20 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 23:16

Updated : 2026-05-06 15:06

NVD link : CVE-2026-31904

Mitre link : CVE-2026-31904

CVE.ORG link : CVE-2026-31904

JSON object : View

Products Affected

ctek

charge_portal

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2026-31904", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T23:16:44.060", "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06", "tags": ["US Government Resource", "Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.ctek.com/support", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "The WebSocket Application Programming Interface lacks restrictions on the number of\u00a0authentication requests. This absence of rate limiting may allow an attacker to conduct\u00a0denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access."}, {"lang": "es", "value": "La Interfaz de Programaci\u00f3n de Aplicaciones WebSocket carece de restricciones sobre el n\u00famero de solicitudes de autenticaci\u00f3n. Esta ausencia de limitaci\u00f3n de velocidad puede permitir a un atacante llevar a cabo ataques de denegaci\u00f3n de servicio suprimiendo o redirigiendo err\u00f3neamente la telemetr\u00eda leg\u00edtima del cargador, o llevar a cabo ataques de fuerza bruta para obtener acceso no autorizado."}], "lastModified": "2026-05-06T15:06:24.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ctek:charge_portal:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C757F5E2-F4E7-464D-9184-BD665287E411"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}