Platform
other
Component
csaf
CVE-2026-24731 describes a critical vulnerability in ev2go.io, allowing attackers to impersonate charging stations and manipulate data. This stems from a lack of authentication on WebSocket endpoints, enabling unauthorized OCPP command execution. All versions of ev2go.io are affected, and a fix is pending.
The vulnerability allows an attacker to connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier without authentication. Subsequently, they can issue or receive OCPP commands as if they were a legitimate charger. This represents a significant privilege escalation risk, potentially granting attackers complete control over charging infrastructure. The attacker could manipulate charging sessions, alter reported data, and disrupt the charging network, leading to financial losses, reputational damage, and potentially even safety hazards. The lack of authentication makes exploitation relatively straightforward, increasing the potential for widespread abuse.
This vulnerability is considered high probability due to the ease of exploitation and the critical nature of the affected infrastructure. Public proof-of-concept code is not yet available, but the simplicity of the attack vector suggests it is likely to emerge. The vulnerability was publicly disclosed on 2026-02-26. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of ev2go.io once available. Until then, implement temporary workarounds to limit the impact. A Web Application Firewall (WAF) or proxy server can be configured to restrict access to the OCPP WebSocket endpoint, requiring authentication or limiting access based on IP address or other criteria. Carefully review and restrict access to the OCPP WebSocket endpoint. Implement strict input validation on all OCPP commands received to prevent malicious payloads. Monitor network traffic for suspicious OCPP command patterns.
Implement robust authentication mechanisms for WebSocket endpoints. Validate and authorize all OCPP requests before processing them. Consider using digital certificates or authentication tokens to verify the identity of charging stations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24731 is a CRITICAL vulnerability affecting all ev2go.io versions. It allows unauthenticated attackers to impersonate charging stations and manipulate data due to a lack of authentication on WebSocket endpoints.
Yes, all versions of ev2go.io are currently affected by this vulnerability. Assess your deployments and implement mitigations immediately.
Upgrade to a patched version of ev2go.io as soon as it becomes available. Until then, implement WAF rules to restrict access to the OCPP WebSocket endpoint.
While no active exploitation has been confirmed, the ease of exploitation suggests it is a high-probability target. Monitor your systems closely.
Refer to the official ev2go.io security advisory for detailed information and updates regarding this vulnerability. Check their website and security mailing lists.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.