CVE-2026-20791 is classified under CWE-522, indicating insufficiently protected credentials within Chargemap's web-based mapping platform, chargemap.com. This vulnerability affects all versions of the product and was published on February 26, 2026. The core issue is that authentication identifiers for charging stations, which are critical for secure access and operation, are publicly accessible through the platform. This exposure allows attackers to retrieve these credentials without requiring any authentication or user interaction, exploiting the vulnerability remotely over the network. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the ease of exploitation (low attack complexity, no privileges or user interaction needed) and the impact on confidentiality and integrity, though availability remains unaffected. The vulnerability could enable attackers to impersonate legitimate users or devices, potentially manipulating charging station operations or accessing restricted services. No patches or known exploits are currently available, indicating a need for proactive mitigation. The vulnerability highlights a critical security design flaw in how sensitive authentication data is handled and exposed via public web interfaces, underscoring the importance of secure credential management and access controls in IoT and critical infrastructure platforms.

The primary impact of CVE-2026-20791 is the exposure of authentication credentials for electric vehicle charging stations, which can lead to unauthorized access and potential misuse of charging infrastructure. Confidentiality is compromised as attackers can obtain sensitive identifiers, and integrity is at risk if attackers manipulate charging station operations or data. Although availability is not directly affected, unauthorized use could lead to indirect service disruptions or financial losses. Organizations operating or relying on Chargemap's platform may face operational risks, reputational damage, and potential regulatory consequences if unauthorized access leads to misuse or data breaches. The vulnerability is particularly impactful in regions with widespread EV adoption and reliance on public charging infrastructure, where attackers could leverage exposed credentials to disrupt services or conduct fraudulent activities. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the threat surface. While no known exploits exist yet, the vulnerability presents a significant risk if weaponized, especially as EV infrastructure becomes more critical globally.

To mitigate CVE-2026-20791, Chargemap and affected organizations should immediately restrict public access to authentication identifiers by implementing strict access controls and data minimization on their web platforms. Sensitive credential data should never be exposed in publicly accessible interfaces or APIs. Employ encryption and secure storage mechanisms for all authentication data, ensuring that only authorized users and systems can retrieve credentials. Implement robust authentication and authorization checks for any access to charging station identifiers. Conduct a thorough security review and redesign of the credential management system to follow best practices, including rotating exposed credentials and employing multi-factor authentication where applicable. Monitor logs and network traffic for unusual access patterns that may indicate exploitation attempts. Organizations using Chargemap services should also consider alternative secure platforms or additional compensating controls until a patch or fix is released. Regular security audits and penetration testing focused on credential exposure risks are recommended to prevent similar vulnerabilities.