PatchSiren cyber security CVE debrief
CVE-2026-26305 Mobility46 CVE debrief
CVE-2026-26305 is a network-reachable rate-limiting weakness in a WebSocket Application Programming Interface associated with Mobility46 mobility46.se. CISA says the API accepts unrestricted authentication requests, which may let an attacker suppress or mis-route legitimate charger telemetry, trigger denial-of-service conditions, or brute-force credentials for unauthorized access. The advisory was initially published on 2026-02-26 and rates the issue CVSS 3.1 7.5 High.
- Vendor
- Mobility46
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators, integrators, and defenders responsible for Mobility46 environments should treat this as a priority exposure, especially where the WebSocket interface is reachable from untrusted networks. OT/ICS teams should also review any telemetry paths, remote management access, and authentication gateways that could be abused repeatedly without user interaction.
Technical summary
According to the CISA CSAF advisory, the weakness is the absence of restrictions on the number of authentication requests made to a WebSocket API. That creates a low-complexity, network-based abuse path with no user interaction required. The likely security impact is availability loss through request flooding and, secondarily, unauthorized access attempts through brute force. The source corpus also notes that Mobility46 did not respond to CISA’s coordination request.
Defensive priority
High. The issue is easy to reach over the network and can be exercised repeatedly, so defenders should reduce exposure and add throttling or monitoring controls as soon as practical.
Recommended defensive actions
- Contact Mobility46 using the published contact page and track for vendor guidance or remediation.
- Restrict the WebSocket interface to trusted management networks or VPN-only access where possible.
- Add rate limiting, throttling, or request-burst controls at a gateway, proxy, or reverse proxy in front of the service if product-side controls are unavailable.
- Monitor authentication failures, request spikes, and anomalous telemetry routing or suppression patterns.
- Segment charger/telemetry systems from broader enterprise networks and limit lateral access to the service.
- Apply CISA industrial control system recommended practices referenced in the advisory for defense-in-depth hardening.
Evidence notes
This debrief is based only on the supplied CISA CSAF advisory data and official reference links. The advisory title is "Mobility46 mobility46.se" and the corpus marks the vendor/product mapping as low confidence, so the summary avoids asserting a stronger product identity than the source supports. No exploit code, offensive reproduction steps, or unsupported remediation claims were used.
Official resources
-
CVE-2026-26305 CVE record
CVE.org
-
CVE-2026-26305 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and source item on 2026-02-26 as the initial publication. The advisory states that Mobility46 did not respond to CISA’s coordination request.