LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-22552

CVE-2026-22552 - Vulnerability Analysis

CriticalCVSS: 9.4

Last Updated: March 6, 2026

OCPP WebSocket - Broken Access Control

Published: March 6, 2026Updated: March 6, 2026Remote Exploitable

Overview

OCPP WebSocket endpoints contain a broken access control vulnerability caused by lack of authentication, letting unauthenticated attackers impersonate charging stations and manipulate backend data, exploit requires no authentication.

Severity & Score

Severity: Critical
CVSS Score: 9.4
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can control charging infrastructure and corrupt backend data, leading to privilege escalation and unauthorized operations.

Mitigation

Implement proper authentication mechanisms on WebSocket endpoints or update to a version that enforces authentication.

References

Social Media Activity(2 posts)

BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Mar 4, 2026

CISA warns of multiple vulnerabilities in ePower EV charging stations CISA warns of multiple vulnerabilities in ePower charging stations, including a critical authentication bypass (CVE-2026-22552), that allow unauthenticated attackers to hijack EV infrastructure and disrupt services. **Make sure your ePower charging station is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/cisa-warns-of-multiple-vulnerabilities-in-epower-ev-charging-stations-f-j-9-6-s/gD2P6Ple2L

View original post
BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Mar 4, 2026

CISA warns of multiple vulnerabilities in ePower EV charging stations CISA warns of multiple vulnerabilities in ePower charging stations, including a critical authentication bypass (CVE-2026-22552), that allow unauthenticated attackers to hijack EV infrastructure and disrupt services. **Make sure your ePower charging station is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/cisa-warns-of-multiple-vulnerabilities-in-epower-ev-charging-stations-f-j-9-6-s/gD2P6Ple2L

View original post

Related Resources

Details

CVE ID
CVE-2026-22552
Severity
Critical
CVSS Score
9.4
Type
broken_access_control
Status
new
EPSS
0.0%
Social Posts
2

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score

0.0%Probability of exploitation in the next 30 days