CVE-2026-20882 is a vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) found in the Mobiliti e-mobi.hu product, which is used for managing electric vehicle (EV) charger telemetry. The root cause is the absence of rate limiting on the WebSocket API's authentication requests. WebSocket connections allow real-time, bidirectional communication between clients and servers, commonly used in telemetry systems for timely data exchange. Without restrictions on the number of authentication attempts, an attacker can flood the system with excessive requests. This can lead to denial-of-service conditions by overwhelming the system, suppressing or mis-routing legitimate telemetry data from chargers, which may disrupt EV charging operations. Additionally, the lack of rate limiting facilitates brute-force attacks against authentication mechanisms, potentially allowing unauthorized access if weak credentials are used. The vulnerability affects all versions of the product and can be exploited remotely without requiring any privileges or user interaction. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and significant impact on availability, though confidentiality and integrity are not directly compromised. No patches or known exploits are currently available, indicating the need for proactive mitigation by users of this product.

The primary impact of CVE-2026-20882 is on the availability of the Mobiliti e-mobi.hu system, which could lead to denial-of-service conditions affecting EV charger telemetry and management. Disruption of telemetry data can prevent operators from monitoring charger status, potentially causing operational delays, reduced service reliability, and customer dissatisfaction. In worst-case scenarios, mis-routed or suppressed telemetry could lead to incorrect billing or failure to detect charger faults, impacting business operations and safety. The possibility of brute-force attacks raises the risk of unauthorized access, which could lead to further exploitation or manipulation of charger controls. Organizations relying on this system, including EV charging network operators, energy providers, and smart city infrastructure managers, may experience operational downtime and reputational damage. The lack of known exploits suggests the threat is currently theoretical but could be weaponized by attackers targeting EV infrastructure, a growing critical sector worldwide.

To mitigate CVE-2026-20882, organizations should implement strict rate limiting on authentication requests at the WebSocket API level to prevent abuse through excessive attempts. This can be achieved by configuring WebSocket servers or associated reverse proxies to monitor and throttle repeated authentication attempts from the same source IP or client identifier. Additionally, deploying anomaly detection systems to identify unusual traffic patterns indicative of brute-force or DoS attacks is recommended. Strengthening authentication mechanisms by enforcing strong password policies, multi-factor authentication (if supported), and account lockout policies will reduce the risk of unauthorized access. Network segmentation and firewall rules should restrict access to the WebSocket API to trusted clients and networks where possible. Regular monitoring and logging of authentication attempts and telemetry data flows will help detect and respond to attacks promptly. Since no official patches are currently available, these compensating controls are critical until the vendor releases a fix. Engaging with Mobiliti support for updates and applying patches promptly upon release is essential.