PatchSiren cyber security CVE debrief
CVE-2026-20792 Unknown Vendor CVE debrief
CISA’s advisory for Chargemap/chargemap.com says the WebSocket API does not restrict the number of authentication requests. That weakness can let a remote attacker flood the service, disrupt or misroute legitimate charger telemetry, and attempt brute-force access. CISA published the issue as CVE-2026-20792 with CVSS 7.5 (High) on 2026-02-26.
- Vendor
- Unknown Vendor
- Product
- Chargemap chargemap.com vers:all/*
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Security, operations, and incident response teams responsible for Chargemap/chargemap.com deployments, especially anyone monitoring WebSocket authentication, charger telemetry availability, or access-control abuse.
Technical summary
The advisory describes a network-reachable WebSocket authentication weakness: there are no limits on authentication request volume. CISA states this may enable denial-of-service by suppressing or misrouting charger telemetry, and may also support brute-force attempts to gain unauthorized access. The provided CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with the availability impact emphasized in the source.
Defensive priority
High
Recommended defensive actions
- Add server-side rate limiting and progressive backoff to WebSocket authentication endpoints.
- Implement alerting for repeated authentication failures, credential-spraying patterns, and unusual WebSocket session churn.
- Restrict exposure of the WebSocket service to the smallest necessary network scope and apply edge controls where available.
- Review telemetry handling so missed, delayed, or misrouted charger data is detected and reconciled quickly.
- Verify whether Chargemap has issued a fix or operational guidance; the advisory says CISA did not receive a coordination response from the vendor.
- Use the CISA advisory and official CVE/NVD records to track any later updates or status changes.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-057-05 (published 2026-02-26), which names the product as “Chargemap chargemap.com vers:all/*” and states that the WebSocket API lacks restrictions on authentication requests. The advisory explicitly cites denial-of-service, telemetry suppression/misrouting, and brute-force access as possible outcomes. The remediation section says Chargemap did not respond to CISA’s coordination request. The advisory also includes an SSVCv2 notation dated 2026-02-25T07:00:00.000000Z.
Official resources
-
CVE-2026-20792 CVE record
CVE.org
-
CVE-2026-20792 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and source CSAF record on 2026-02-26. The provided corpus does not list a KEV entry, and the remediation section states that Chargemap did not respond to CISA’s coordination request.