Authentication Flaw in WebSocket for EV Charging Stations
CVE-2026-24731

9.3CRITICAL

Key Information:

Vendor: Ev2go
Status: Ev2go.io
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-24731?

The OCPP WebSocket endpoint suffers from a lack of proper authentication measures, allowing unauthenticated attackers to exploit known or discovered identifiers associated with charging stations. By connecting to the unprotected WebSocket endpoint, attackers can issue or intercept OCPP commands as if they were legitimate charging stations. This vulnerability poses serious risks, including privilege escalation and unauthorized manipulation of charging infrastructure, compromising the integrity of the data sent to the backend.

Affected Version(s)

ev2go.io All versions

References

https://ev2go.io/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.

CVE-2026-24731 Data

JSON