CVE-2026-26290 EV Energy CVE debrief

Who should care

Operators and integrators using EV Energy ev.energy, especially teams managing WebSocket-connected charging infrastructure, backend session handling, or remote command delivery. Security teams should also care if the deployment exposes session-establishment endpoints to untrusted networks or lacks strict one-to-one session binding and duplicate-session controls.

Technical summary

The issue is an authentication/session integrity problem in the WebSocket backend. The advisory states that charging-station identifiers are used to uniquely associate sessions, but the implementation allows multiple endpoints to connect using the same identifier. That creates predictable session identifiers and permits session hijacking/shadowing, where the newest connection replaces the legitimate station and becomes the recipient of backend commands. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (7.3, HIGH), reflecting network reachability and moderate confidentiality, integrity, and availability impact.

Defensive priority

High. The flaw is network-reachable, requires no privileges or user interaction, and can affect both command integrity and service availability. Because the advisory indicates the vendor did not respond to CISA’s coordination request, defenders should treat this as an active hardening and monitoring priority while tracking for a vendor fix.

Recommended defensive actions

• Inventory all EV Energy ev.energy deployments and identify any exposed WebSocket/session endpoints.
• Treat charging-station identifiers as insufficient for authentication; require unguessable, cryptographically strong session tokens and strict one-session-per-device binding.
• Reject duplicate or concurrent sessions for the same station unless explicitly intended and safely mediated.
• Invalidate or quarantine stale sessions when a new connection appears, and log/alert on repeated duplicate-session attempts.
• Add rate limiting and backend admission controls to reduce the risk of valid-session flooding and service disruption.
• Monitor for shadowing indicators such as unexpected session replacement, command routing anomalies, or abrupt disconnect/reconnect patterns.
• Follow the CISA advisory and vendor contact path for updates; apply vendor remediation when available.
• Segment and restrict backend access to reduce exposure of session-establishment endpoints to untrusted networks.

Evidence notes

CISA’s CSAF advisory for CVE-2026-26290 states: “The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier,” leading to predictable identifiers and session hijacking/shadowing. It also notes the issue may allow unauthorized authentication as other users or denial of service via valid session requests. The advisory published on 2026-02-26 and lists CVSS v3.1 7.3 HIGH. CISA’s remediation text says EV Energy did not respond to coordination. No KEV listing is provided in the supplied corpus.

Official resources