PatchSiren cyber security CVE debrief
CVE-2026-20781 Unknown Vendor CVE debrief
CVE-2026-20781 is a critical authentication flaw in CloudCharge's OCPP WebSocket endpoints. Because no authentication is required, an attacker who knows or discovers a charging-station identifier can impersonate a legitimate charger, exchange OCPP commands, and tamper with backend-reported data. The likely impact includes unauthorized control of charging infrastructure, privilege escalation, and corruption of operational data.
- Vendor
- Unknown Vendor
- Product
- CloudCharge cloudcharge.se vers:all/*
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators of CloudCharge-managed EV charging stations, OT/ICS security teams, backend integrators using OCPP, and asset owners responsible for station identity and access control.
Technical summary
CISA's CSAF advisory states that the OCPP WebSocket endpoint lacks proper authentication. An unauthenticated remote actor can connect using a known or discovered station identifier and then issue or receive OCPP commands as if it were a legitimate charger. The advisory describes resulting risks as privilege escalation, unauthorized infrastructure control, and corruption of charging-network data reported to the backend. CISA lists the issue as CVSS v3.1 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and SSVCv2 E:N/A:Y.
Defensive priority
Urgent. This is network-reachable, requires no credentials, and can directly affect charger control and backend data integrity. Treat it as a high-priority exposure reduction issue until vendor guidance or a fix is available.
Recommended defensive actions
- Restrict access to the OCPP WebSocket endpoint to trusted management networks and known charging-station paths only.
- Review whether station identifiers are exposed or predictable, and strengthen identity validation and backend authorization checks where possible.
- Monitor for unusual OCPP sessions, unexpected station IDs, and backend records that suggest charger impersonation or data tampering.
- Segment charging infrastructure from general-purpose networks to reduce the blast radius of unauthorized station access.
- Apply vendor-provided remediation or compensating controls as soon as they are available, and follow the contact path listed in the advisory if you need vendor coordination.
Evidence notes
All material facts are taken from CISA CSAF advisory ICSA-26-057-03 for CVE-2026-20781 and the linked CISA reference pages. The supplied advisory text states that CloudCharge did not respond to CISA's coordination request. The vendor/product naming in the corpus is preserved as published, but the vendor identity confidence is low and flagged for review. No exploit instructions or unsupported claims are included.
Official resources
-
CVE-2026-20781 CVE record
CVE.org
-
CVE-2026-20781 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-057-03 on 2026-02-26. The advisory notes that CloudCharge did not respond to CISA's coordination request. The supplied enrichment does not mark this CVE as a CISA KEV entry.