CVE-2026-26051 Unknown Vendor CVE debrief

Who should care

Operators, integrators, and security teams responsible for Mobiliti/e-mobi.hu EV charging deployments, especially environments exposing OCPP WebSocket services to untrusted networks.

Technical summary

The advisory describes missing authentication on the WebSocket endpoint used for OCPP communications. Because the endpoint accepts sessions without proper authentication, an attacker can impersonate a charging station using a known or discovered station identifier and interact with backend systems as if they were a legitimate charger. The result can include unauthorized control of charging infrastructure, privilege escalation, and corruption of telemetry or operational data sent to the backend.

Defensive priority

Immediate

Recommended defensive actions

• Restrict exposure of the OCPP WebSocket endpoint to trusted networks and only allow authorized management paths.
• Require strong authentication and per-station authorization before accepting WebSocket or OCPP sessions.
• Validate station identifiers and reject unauthenticated or unexpected session initiation attempts.
• Monitor for station impersonation, abnormal command traffic, and backend data anomalies tied to charging stations.
• Apply CISA ICS recommended practices and defense-in-depth guidance to harden the charging management environment.
• Use the vendor contact path in the advisory to request remediation status and updates.

Evidence notes

All core claims are taken from CISA CSAF ICSA-26-062-06 and its linked references. The advisory text states that WebSocket endpoints lack proper authentication, enabling unauthorized station impersonation, OCPP command abuse, and backend data corruption. The supplied corpus also records that Mobiliti did not respond to CISA's request for coordination. Published and modified dates in the supplied source are 2026-03-03.

Official resources