CVE-2026-22878 is a vulnerability identified in the Mobility46 platform (mobility46.se) that affects all versions of the product. The core issue is that charging station authentication identifiers, which are critical for validating and authorizing access to electric vehicle charging stations, are exposed publicly via web-based mapping platforms. This vulnerability is categorized under CWE-522, which refers to insufficient protection of credentials. The exposure occurs without requiring any privileges or user interaction, meaning an attacker can access these identifiers remotely and anonymously. The CVSS 3.1 score of 6.5 reflects a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The public availability of authentication identifiers could allow attackers to impersonate legitimate users or devices, potentially leading to unauthorized use of charging stations or manipulation of charging sessions. Although no exploits have been reported in the wild, the vulnerability presents a tangible risk to the security and trustworthiness of the charging infrastructure managed via Mobility46's platform. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate compensating controls and monitoring.

The exposure of charging station authentication identifiers can have several impacts on organizations and users worldwide. Confidentiality is compromised as sensitive credentials are publicly accessible, enabling unauthorized parties to gather information that should be protected. Integrity is at risk because attackers could potentially use these identifiers to impersonate legitimate users or devices, leading to unauthorized charging sessions, fraudulent usage, or manipulation of charging data. While availability is not directly impacted, the misuse of credentials could indirectly affect service reliability or billing accuracy. For organizations operating electric vehicle charging infrastructure, this vulnerability could result in financial losses, reputational damage, and erosion of customer trust. Additionally, attackers might leverage exposed identifiers as a foothold for further attacks on the charging network or related systems. The risk is amplified in regions with high adoption of electric vehicles and reliance on Mobility46's platform, where disruption or misuse could have broader economic and operational consequences.

To mitigate CVE-2026-22878 effectively, organizations should implement the following specific measures: 1) Restrict public access to charging station authentication identifiers by configuring web-based mapping platforms and associated APIs to require authentication and authorization controls, ensuring only legitimate users can view sensitive data. 2) Employ strong encryption and secure storage for authentication credentials both at rest and in transit to prevent unauthorized disclosure. 3) Implement robust access control policies and role-based access management to limit exposure of sensitive identifiers internally and externally. 4) Monitor network traffic and logs for unusual access patterns or attempts to retrieve authentication identifiers, enabling early detection of potential exploitation attempts. 5) Coordinate with Mobility46 to obtain updates or patches as they become available, and apply them promptly. 6) Conduct regular security assessments and penetration testing focused on credential exposure and access control weaknesses within the charging infrastructure ecosystem. 7) Educate staff and users about the risks associated with credential exposure and enforce best practices for credential management. These targeted actions go beyond generic advice by focusing on access restriction, encryption, monitoring, and collaboration with the vendor.