CVE-2026-20895 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting all versions of EV2GO's ev2go.io WebSocket backend. The system uses charging station identifiers as session identifiers to uniquely associate sessions. However, the implementation flaw allows multiple endpoints to connect using the same session identifier, which are also predictable. This design flaw enables session hijacking or session shadowing attacks, where an attacker can connect with the same session ID and displace the legitimate charging station connection. Consequently, the attacker can receive backend commands intended for the legitimate station, effectively impersonating it. Additionally, an attacker can overwhelm the backend with numerous valid session requests, causing denial-of-service conditions. The vulnerability requires no privileges or user interaction, and the attack vector is network-based (remote). The CVSS v3.1 score is 7.3 (high), reflecting the ease of exploitation and the impact on confidentiality, integrity, and availability. No patches or exploits in the wild are currently reported, but the vulnerability poses a significant risk to the security and reliability of EV2GO's charging station management infrastructure.

The vulnerability can have severe consequences for organizations relying on EV2GO's charging station management platform. Unauthorized session hijacking can lead to attackers impersonating legitimate charging stations, potentially manipulating charging operations, disrupting billing, or causing operational confusion. This compromises the integrity and confidentiality of the system. Furthermore, the ability to displace legitimate sessions can result in denial-of-service conditions, disrupting service availability and affecting end-users relying on electric vehicle charging infrastructure. Such disruptions can damage organizational reputation, cause financial losses, and undermine trust in critical infrastructure. Given the increasing reliance on electric vehicle charging networks globally, this vulnerability could impact utility providers, charging network operators, and related service providers, especially those with large deployments of EV2GO systems. The lack of authentication or user interaction required for exploitation increases the risk of automated or large-scale attacks.

To mitigate this vulnerability, EV2GO should implement robust session management practices, including generating cryptographically secure, unpredictable session identifiers that are unique per connection. The backend should enforce strict session uniqueness, preventing multiple simultaneous connections using the same session ID. Implementing session expiration and re-authentication mechanisms can reduce the risk of session hijacking. Network-level protections such as rate limiting and anomaly detection can help mitigate denial-of-service attempts by limiting the number of session requests from a single source. Organizations should monitor WebSocket connections for unusual patterns indicative of session shadowing or hijacking. Until a vendor patch is available, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious session reuse may provide interim protection. Additionally, segregating critical backend systems and employing strong network segmentation can limit the attack surface. Regular security assessments and penetration testing focused on session management are recommended to identify and remediate similar issues proactively.