CVE-2026-20882 is a vulnerability identified in the WebSocket API of Mobiliti's e-mobi.hu product, which is used for managing electric vehicle charger telemetry. The core issue is the absence of any rate limiting or restrictions on the number of authentication requests that can be sent via the WebSocket interface. This lack of control allows an attacker to flood the authentication mechanism with excessive requests. Such behavior can lead to denial-of-service (DoS) conditions by overwhelming the system, suppressing, or mis-routing legitimate telemetry data from chargers, which is critical for operational monitoring and management. Additionally, the unrestricted authentication attempts open the door for brute-force attacks, where an attacker systematically tries multiple credentials to gain unauthorized access. The vulnerability is exploitable remotely without requiring prior authentication or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the vulnerability's characteristics and the critical role of charger telemetry in electric vehicle infrastructure make it a significant threat. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a high severity primarily due to the impact on availability, ease of exploitation, and the lack of prerequisites for an attacker. The vulnerability is present in all versions of the product, emphasizing the need for immediate attention from affected organizations. The CWE-307 classification highlights the failure to implement proper authentication rate limiting controls, a common security oversight that can have severe operational consequences in IoT and critical infrastructure contexts.

The primary impact of CVE-2026-20882 is on the availability of the Mobiliti e-mobi.hu system, specifically the telemetry data from electric vehicle chargers. Disruption or suppression of this data can impair real-time monitoring, diagnostics, and management of charging infrastructure, potentially leading to operational outages or degraded service quality. For organizations managing large fleets of EV chargers, this could translate into significant downtime, customer dissatisfaction, and financial losses. The possibility of brute-force attacks also raises concerns about unauthorized access, which could lead to further manipulation or control of charging stations, data breaches, or sabotage. Given the increasing reliance on electric vehicle infrastructure globally, such disruptions could have cascading effects on energy management and transportation services. The ease of remote exploitation without authentication or user interaction increases the threat surface, making it accessible to a wide range of attackers, including opportunistic threat actors. While no exploits are currently known in the wild, the vulnerability's characteristics suggest it could be weaponized in targeted attacks or widespread campaigns, especially in regions with dense EV infrastructure.

To mitigate CVE-2026-20882, organizations should implement strict rate limiting on all authentication requests over the WebSocket API to prevent abuse through excessive attempts. This can be achieved by configuring network-level controls such as firewalls or API gateways to throttle requests per IP or user session. Additionally, deploying anomaly detection systems to monitor unusual authentication patterns can help identify and block brute-force or DoS attempts early. Strengthening authentication mechanisms by enforcing multi-factor authentication (MFA) where possible will reduce the risk of unauthorized access. Regularly updating and patching the e-mobi.hu product is critical, and although no patches are currently listed, organizations should maintain close communication with Mobiliti for any forthcoming fixes. Network segmentation and isolating the telemetry infrastructure from public networks can limit exposure. Implementing robust logging and alerting on authentication failures will aid in rapid incident response. Finally, conducting penetration testing and security assessments focused on WebSocket interfaces can uncover similar weaknesses proactively.