Session Hijacking Vulnerability in Charging Station WebSocket Backend by Vendor
CVE-2026-20748

6.9MEDIUM

Key Information:

Vendor: Everon
Status: Api.everon.io
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-20748?

The WebSocket backend for charging stations is compromised by a flaw that allows multiple endpoints to establish connections with the same session identifier. This defect creates predictable session identifiers, which can lead to session hijacking or shadowing. In such scenarios, a malicious actor may exploit this vulnerability to impersonate legitimate users by taking over their active sessions. Moreover, it enables attackers to flood the backend with valid session requests, potentially leading to service disruptions. It is crucial for stakeholders to be aware of this vulnerability and take necessary measures to secure their systems against unauthorized access and ensure proper session management.

Affected Version(s)

api.everon.io All versions

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Feb 25, 2026

Credit

Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.

CVE-2026-20748 Data

JSON