CVE-2026-29796

Received
Published: 20 Mar 2026, 22:53
Last modified:20 Mar 2026, 23:03

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.4 CRITICAL
v3.1 (cve.org)
EPSS Score
0.1% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Mar 2026, 22:53
Published
Vulnerability first disclosed
20 Mar 2026, 23:03
Last Modified
Vulnerability information updated

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • v3.1CRITICALScore: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Trends

Current EPSS score: 0.10% Percentile: 27%

Techniques & Countermeasures

  • CWE-306Missing Authentication for Critical Function

    The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Affected Systems

  • igl-technologieseparking.fi

    All versions

References (2)