CVE-2026-20781 is a critical security vulnerability identified in all versions of CloudCharge's cloudcharge.se platform. The root cause is the lack of authentication on WebSocket endpoints that handle OCPP communications between charging stations and the backend. OCPP is a protocol widely used for communication in electric vehicle charging infrastructure. Because the WebSocket endpoints do not require authentication, an attacker can connect to the endpoint using a known or discovered charging station identifier and impersonate that station. This unauthorized access enables the attacker to send or receive OCPP commands as if they were the legitimate charging station. The consequences include privilege escalation, unauthorized control over charging stations, and manipulation or corruption of charging network data reported to the backend systems. The vulnerability is remotely exploitable over the network without any user interaction or prior privileges, making it highly accessible to attackers. The CVSS 3.1 base score of 9.4 reflects the critical impact on confidentiality and integrity, with a low attack complexity and no authentication required. While no public exploits have been reported yet, the vulnerability poses a significant threat to the security and reliability of electric vehicle charging infrastructure managed by CloudCharge. The absence of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation measures.

The impact of CVE-2026-20781 is severe for organizations operating or managing electric vehicle charging infrastructure using CloudCharge's platform. Unauthorized attackers can impersonate legitimate charging stations, allowing them to manipulate charging sessions, disrupt service availability, or corrupt data sent to backend systems. This can lead to financial losses, operational disruptions, and damage to the integrity of charging network data, which may affect billing, usage statistics, and maintenance operations. Additionally, attackers could potentially escalate privileges within the charging network, gaining broader control over infrastructure components. The compromise of charging infrastructure could also undermine user trust and regulatory compliance, especially in regions with strict cybersecurity requirements for critical infrastructure. Given the increasing reliance on electric vehicle charging networks, this vulnerability poses a risk to energy providers, fleet operators, and public charging station operators worldwide.

To mitigate CVE-2026-20781, organizations should immediately implement strong authentication mechanisms on all WebSocket endpoints handling OCPP communications. This includes enforcing mutual TLS authentication, API keys, or token-based authentication to ensure only authorized charging stations can connect. Network segmentation should be applied to isolate charging infrastructure from other critical systems and limit exposure to external networks. Monitoring and logging of WebSocket connections and OCPP command traffic should be enhanced to detect anomalous or unauthorized activity promptly. Organizations should also conduct thorough audits of charging station identifiers to identify and secure any that may be publicly known or easily discoverable. Until an official patch is released by CloudCharge, consider deploying Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with rules tailored to detect and block unauthorized WebSocket connections. Finally, maintain close communication with CloudCharge for updates and apply patches as soon as they become available.