PatchSiren cyber security CVE debrief
CVE-2026-22878 Mobility46 CVE debrief
CVE-2026-22878 is an information-disclosure issue affecting Mobility46/mobility46.se where charging station authentication identifiers are publicly accessible via web-based mapping platforms. The advisory is dated 2026-02-26 and assigns a CVSS v3.1 score of 6.5 (Medium). Based on the supplied advisory text, the primary concern is unintended exposure of identifiers rather than service outage.
- Vendor
- Mobility46
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and administrators of Mobility46-based charging station deployments, OT/ICS security teams, and organizations that rely on web mapping or asset-location services for charging infrastructure should review this immediately. Because the exposed data relates to authentication identifiers, teams responsible for identity, access control, and public-facing mapping content should also assess exposure.
Technical summary
The CISA advisory states that charging station authentication identifiers are publicly accessible through web-based mapping platforms. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network-accessible exposure with low confidentiality and integrity impact and no availability impact. The source corpus does not describe exploitation in the wild, and the enrichment does not mark this as a known KEV item.
Defensive priority
High for exposed environments, but not an emergency based on the supplied corpus. Prioritize if the identifiers are still publicly reachable or if the mapping platform is internet-facing. The issue is straightforward to validate and remediate, and the advisory notes unresolved vendor coordination.
Recommended defensive actions
- Inventory any Mobility46/mobility46.se deployments and identify where authentication identifiers are published or mirrored.
- Review web-based mapping integrations, public dashboards, and asset-location feeds for unintended disclosure of identifiers.
- Remove public exposure of authentication identifiers and restrict access to authenticated users only.
- Validate whether exposed identifiers can be used to correlate assets, accounts, or operational details, and rotate or replace affected identifiers if needed.
- Follow the CISA advisory and monitor the vendor contact path provided in the source for remediation updates.
- Apply ICS recommended practices for segmentation, least privilege, and exposure reduction for externally reachable systems.
Evidence notes
This debrief is based only on the supplied CISA CSAF advisory content and the listed official references. The advisory text explicitly says: 'Charging station authentication identifiers are publicly accessible via web-based mapping platforms.' It also includes SSVCv2/E:N/A:Y/2026-02-25T07:00:00.000000Z. The advisory revision history shows initial publication on 2026-02-26. CISA's remediation note says Mobility46 did not respond to coordination, and provides the vendor contact page. No KEV entry or ransomware campaign use is supplied in the corpus.
Official resources
-
CVE-2026-22878 CVE record
CVE.org
-
CVE-2026-22878 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and states Mobility46 did not respond to its coordination request. The supplied enrichment indicates this is not a KEV-listed issue and does not indicate known ransomware campaign use.