Session Hijacking Vulnerability in Charging Station Management Systems
CVE-2026-20895

6.9MEDIUM

Key Information:

Vendor: Ev2go
Status: Ev2go.io
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-20895?

The vulnerability arises from the WebSocket backend's handling of session identifiers associated with charging stations. By allowing multiple endpoints to utilize the same session identifier, the system enables predictable session hijacking scenarios. Malicious actors can exploit this flaw to impersonate legitimate users or disrupt services by overwhelming the backend with simultaneous session requests. This raises serious security concerns regarding unauthorized access and denial-of-service conditions within charging station networks.

Affected Version(s)

ev2go.io All versions

References

https://ev2go.io/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.

CVE-2026-20895 Data

JSON