Session Hijacking Vulnerability in Charging Station Backend Software by CloudCharge
CVE-2026-27652

6.9MEDIUM

Key Information:

Vendor: Cloudcharge
Status: Cloudcharge.se
Vendor: CVE Published:; 26 February 2026

🔔 Create Cloudcharge Vulnerability Alert

What is CVE-2026-27652?

The charging station backend software by CloudCharge allows multiple endpoints to connect using the same session identifier due to flawed handling of charging station identifiers. This implementation leads to predictable session identifiers, making it possible for malicious actors to hijack sessions. When a new endpoint connects, it can displace the legitimate connection, gaining access to backend commands intended for the authenticated charging station. This situation not only opens doors for unauthorized user authentication but also holds the risk of denial-of-service attacks as the backend may be overwhelmed by a flood of legitimate session requests from compromised connections.

Affected Version(s)

cloudcharge.se All versions

References

https://cloudcharge.tech/support/contact/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 24, 2026

Credit

Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.

CVE-2026-27652 Data

JSON