CVE-2026-24731 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: February 27, 2026
OCPP WebSocket - Broken Access Control
Published: February 27, 2026Updated: February 27, 2026Remote Exploitable
Overview
OCPP WebSocket endpoints contain a broken access control vulnerability caused by lack of authentication, letting unauthenticated attackers impersonate stations and manipulate backend data, exploit requires no authentication.
Severity & Score
Severity: Critical
CVSS Score: 9.4
Impact
Unauthenticated attackers can control charging infrastructure and corrupt backend data, leading to privilege escalation and unauthorized operations.
Mitigation
Implement proper authentication mechanisms on WebSocket endpoints to prevent unauthorized access.
References
Related Resources
Details
- CVE ID
- CVE-2026-24731
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- broken_access_control
- Status
- new
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L