Home / Vulnerability Intelligence / CVE-2026-20781

CVE-2026-20781 - Vulnerability Analysis

CriticalCVSS: 9.4

Last Updated: March 2, 2026

OCPP WebSocket - Broken Access Control

Published: February 27, 2026Updated: March 2, 2026Remote Exploitable

Overview

OCPP WebSocket endpoints contain a broken access control vulnerability caused by lack of authentication, letting unauthenticated attackers impersonate stations and manipulate backend data, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.4

EPSS Score: 13.2%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can control charging stations, escalate privileges, and corrupt backend charging network data.

Mitigation

Implement proper authentication mechanisms on WebSocket endpoints or update to a version that enforces authentication.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 27, 2026

🔴 CVE-2026-20781 - Critical (9.4) WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20781/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-20781
Severity: Critical
CVSS Score: 9.4
Type: broken_access_control
Status: confirmed
EPSS: 13.2%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score

13.2%Probability of exploitation in the next 30 days