PatchSiren cyber security CVE debrief
CVE-2026-22890 Unknown Vendor CVE debrief
CVE-2026-22890 is a public information exposure issue affecting EV2GO ev2go.io. According to CISA’s advisory, charging station authentication identifiers were publicly accessible through web-based mapping platforms. The advisory was first published on 2026-02-26, and the vendor was not responsive to CISA’s coordination request.
- Vendor
- Unknown Vendor
- Product
- EV2GO ev2go.io vers:all/*
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and maintainers of EV charging infrastructure, OT/ICS teams, and security staff responsible for public mapping integrations or externally reachable asset data should review this advisory. Organizations using EV2GO-related services or relying on exposed station metadata should assess whether authentication identifiers are visible to untrusted parties.
Technical summary
The advisory states that charging station authentication identifiers are publicly accessible via web-based mapping platforms. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating a network-reachable issue with low confidentiality and integrity impact and no availability impact. The source corpus does not provide exploit details, affected deployment specifics beyond EV2GO ev2go.io vers:all/*, or evidence of active exploitation.
Defensive priority
Medium. This is not a KEV-listed issue in the supplied corpus, but it involves exposure of authentication identifiers and merits timely review, especially for environments that publish or aggregate EV charging station data.
Recommended defensive actions
- Review any EV2GO or EV charging station data published to mapping platforms and remove authentication identifiers from public views.
- Restrict exposure of station identifiers to the minimum necessary audience and validate that public endpoints do not reveal sensitive authentication-related fields.
- Audit integrations, APIs, and data feeds that populate mapping platforms for unintended data leakage.
- Coordinate with EV2GO through the vendor contact page referenced in the advisory and track remediation status.
- Apply general ICS defensive practices from the CISA references, including defense-in-depth and access control review for externally exposed services.
Evidence notes
All factual claims in this debrief are taken from the supplied CISA CSAF source item and its metadata. The source describes the issue as publicly accessible charging station authentication identifiers via web-based mapping platforms, and includes the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Vendor attribution in the supplied corpus is low-confidence and marked for review; no additional product details should be assumed beyond EV2GO ev2go.io vers:all/*.
Official resources
-
CVE-2026-22890 CVE record
CVE.org
-
CVE-2026-22890 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26, and the supplied CSAF notes that EV2GO did not respond to CISA’s request for coordination. The debrief uses the CVE publication date from the corpus and does not infer any earlier issue date.