LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-27028

CVE-2026-27028 - Vulnerability Analysis

CriticalCVSS: 9.4

Last Updated: March 2, 2026

OCPP WebSocket - Authentication Bypass

Published: February 27, 2026Updated: March 2, 2026Remote Exploitable

Overview

OCPP WebSocket endpoints contain an authentication bypass caused by lack of proper authentication mechanisms, letting unauthenticated attackers impersonate stations and manipulate backend data, exploit requires no authentication.

Severity & Score

Severity: Critical
CVSS Score: 9.4
EPSS Score: 17.7%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can control charging infrastructure, escalate privileges, and corrupt backend data, risking operational disruption and data integrity.

Mitigation

Implement proper authentication mechanisms on WebSocket endpoints to prevent unauthorized access.

References

Social Media Activity(2 posts)

BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Feb 27, 2026

Critical Authentication and Session Flaws Discovered in Mobility46 EV Charging Stations Mobility46's EV charging platform contains four vulnerabilities, including a critical authentication bypass (CVE-2026-27028), that allow attackers to impersonate charging stations and seize administrative control. The vendor has not responded with a patch. **If you operate Mobility46 charging stations, make sure that the systems are isolated from the internet and accessible only from trusted networks or VPN.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/critical-authentication-and-session-flaws-discovered-in-mobility46-ev-charging-stations-h-c-g-0-l/gD2P6Ple2L

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Feb 27, 2026

šŸ”“ CVE-2026-27028 - Critical (9.4) WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-27028/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-27028
Severity
Critical
CVSS Score
9.4
Type
broken_authentication
Status
confirmed
EPSS
17.7%
Social Posts
2

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score

17.7%Probability of exploitation in the next 30 days