Authentication Flaw in OCPP WebSocket Endpoints Exposes Charging Stations by Epower
CVE-2026-22552

9.3CRITICAL

Key Information:

Vendor: Epower
Status: Epower.ie
Vendor: CVE Published:; 5 March 2026

What is CVE-2026-22552?

The OCPP WebSocket endpoints provided by Epower are susceptible to an authentication bypass vulnerability that allows unauthorized attackers to impersonate legitimate charging stations. By exploiting this flaw, an intruder can connect to the WebSocket endpoint using a recognizable charging station ID and send or receive Open Charge Point Protocol (OCPP) commands without any authentication required. This exploitation can result in unauthorized control over charging infrastructure, leading to potential privilege escalation and manipulation of vital network data communicated to backend systems.

Affected Version(s)

epower.ie All versions

References

https://epower.ie/support/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Feb 24, 2026

Credit

Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.

CVE-2026-22552 Data

JSON