CVE-2026-27028 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: February 27, 2026
OCPP WebSocket - Authentication Bypass
Published: February 27, 2026Updated: February 27, 2026Remote Exploitable
Overview
OCPP WebSocket endpoints contain an authentication bypass caused by lack of proper authentication mechanisms, letting unauthenticated attackers impersonate stations and manipulate backend data, exploit requires no authentication.
Severity & Score
Severity: Critical
CVSS Score: 9.4
Impact
Unauthenticated attackers can control charging infrastructure, escalate privileges, and corrupt backend data, risking operational disruption and data integrity.
Mitigation
Implement proper authentication mechanisms on WebSocket endpoints to prevent unauthorized access.
References
Related Resources
Details
- CVE ID
- CVE-2026-27028
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- broken_authentication
- Status
- new
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L