CVE-2026-20895 identifies a critical security weakness in the EV2GO ev2go.io WebSocket backend, which manages communication sessions with electric vehicle charging stations. The backend uniquely associates sessions using charging station identifiers; however, it permits multiple endpoints to connect simultaneously using the same session identifier. This design flaw results in predictable session identifiers and allows an attacker to hijack or shadow sessions by establishing a new connection with the same session ID. The most recent connection effectively displaces the legitimate charging station, enabling the attacker to intercept backend commands intended for that station. This vulnerability stems from improper session management and insufficient uniqueness or randomness in session identifiers, classified under CWE-613 (Insufficient Session Expiration). Exploitation requires no privileges or user interaction and can lead to unauthorized authentication as other users or denial-of-service conditions by overwhelming the backend with multiple valid session requests. The vulnerability affects all versions of the ev2go.io product, and while no known exploits have been reported in the wild, the CVSS 3.1 base score of 7.3 reflects its high severity due to network attack vector, low complexity, and impacts on confidentiality, integrity, and availability. The lack of patch links indicates that a fix may not yet be publicly available, underscoring the urgency for affected organizations to implement compensating controls.

The vulnerability can have severe consequences for organizations relying on EV2GO's ev2go.io platform to manage electric vehicle charging stations. Session hijacking allows attackers to impersonate legitimate charging stations, potentially manipulating charging operations, disrupting billing processes, or causing unauthorized energy consumption. This undermines the integrity and trustworthiness of the charging infrastructure. Additionally, session shadowing can lead to denial-of-service conditions by displacing legitimate devices, resulting in service outages and operational disruptions. Attackers can also flood the backend with multiple session requests, overwhelming system resources and causing broader availability issues. These impacts can affect electric vehicle service providers, utility companies, and end-users, potentially leading to financial losses, reputational damage, and regulatory compliance issues. Given the critical role of EV charging infrastructure in energy and transportation sectors, this vulnerability poses risks to national energy grids and smart city initiatives, especially in regions with high EV adoption.

To mitigate CVE-2026-20895, organizations should implement the following specific measures: 1) Enforce unique, unpredictable session identifiers with sufficient entropy to prevent guessing or reuse; 2) Restrict WebSocket backend connections to allow only one active session per charging station identifier, rejecting or terminating duplicate connections; 3) Implement robust session expiration and invalidation mechanisms to prevent stale sessions from being hijacked; 4) Employ backend rate limiting and anomaly detection to identify and block excessive session requests indicative of denial-of-service attempts; 5) Use mutual authentication between charging stations and backend services to verify device identities before establishing sessions; 6) Monitor logs for unusual session activity or displacement events to enable rapid incident response; 7) Coordinate with EV2GO for timely patches or updates addressing this vulnerability; and 8) Consider network segmentation and firewall rules to limit exposure of the WebSocket backend to trusted sources only. These targeted controls go beyond generic advice by focusing on session management improvements and operational monitoring tailored to the ev2go.io environment.