Home / Vulnerability Intelligence / CVE-2026-27772

CVE-2026-27772 - Vulnerability Analysis

CriticalCVSS: 9.4

Last Updated: February 27, 2026

OCPP WebSocket - Authentication Bypass

Published: February 27, 2026Updated: February 27, 2026Remote Exploitable

Overview

OCPP WebSocket endpoints contain an authentication bypass caused by lack of proper authentication mechanisms, letting unauthenticated attackers impersonate stations and manipulate backend data, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.4

Impact

Unauthenticated attackers can control charging infrastructure, escalate privileges, and corrupt backend charging network data.

Mitigation

Implement proper authentication mechanisms on WebSocket endpoints to prevent unauthorized access.

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07
https://www.ev.energy/en-us

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-27772
Severity: Critical
CVSS Score: 9.4
Type: broken_authentication
Status: new

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L