CVE-2026-22878 is a vulnerability identified in all versions of the Mobility46 mobility46.se platform, which is used for managing electric vehicle charging stations. The core issue is that authentication identifiers for charging stations are publicly accessible via web-based mapping platforms. This vulnerability is categorized under CWE-522, which refers to insufficient protection of credentials. Specifically, sensitive authentication tokens or identifiers that should be confidential are exposed to anyone accessing these mapping services, enabling potential attackers to gather credentials without authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact affects confidentiality and integrity to a limited extent (C:L/I:L) but does not affect availability (A:N). Although no exploits have been reported in the wild, the exposure of authentication identifiers could allow unauthorized users to impersonate legitimate devices or users, potentially leading to unauthorized access, manipulation, or disruption of charging station operations. Given the critical role of charging infrastructure in supporting electric vehicle ecosystems, this vulnerability poses a risk to service integrity and user trust. The lack of available patches at the time of publication necessitates immediate mitigation efforts by organizations using or integrating with Mobility46 services.

The primary impact of CVE-2026-22878 is the unauthorized disclosure of authentication identifiers, which can lead to unauthorized access to charging stations managed via the Mobility46 platform. This could allow attackers to impersonate legitimate users or devices, potentially manipulating charging sessions, causing billing fraud, or disrupting service availability indirectly. While availability is not directly impacted by the vulnerability, integrity and confidentiality are compromised to a limited degree. For organizations, this could result in financial losses, reputational damage, and erosion of customer trust. The exposure also raises concerns about the security of critical infrastructure supporting electric vehicle charging, which is increasingly vital for transportation and environmental goals worldwide. The medium severity rating reflects that exploitation is feasible over the network without privileges or user interaction, increasing the risk profile. However, the absence of known exploits in the wild suggests that immediate widespread impact is limited but could escalate if attackers develop exploit tools.

To mitigate CVE-2026-22878, organizations should implement the following specific measures: 1) Restrict access to authentication identifiers by removing them from publicly accessible web-based mapping platforms or applying strict access controls and authentication mechanisms to these services. 2) Employ encryption and tokenization techniques to protect authentication credentials both at rest and in transit, ensuring they are not exposed in URLs, metadata, or publicly accessible APIs. 3) Conduct thorough audits of all web services and APIs associated with the Mobility46 platform to identify and remediate any inadvertent exposure of sensitive data. 4) Implement network segmentation and firewall rules to limit external access to management interfaces of charging stations. 5) Monitor logs and network traffic for unusual access patterns or attempts to use exposed credentials. 6) Engage with Mobility46 for updates or patches addressing this vulnerability and apply them promptly once available. 7) Educate operational staff about the risks of credential exposure and enforce strict credential management policies. These targeted actions go beyond generic advice by focusing on eliminating public exposure of authentication identifiers and enhancing monitoring and access controls specific to the affected platform.