CVE-2026-22890 is a vulnerability identified in EV2GO's ev2go.io platform, affecting all versions of the product. The core issue is the exposure of charging station authentication identifiers via web-based mapping platforms that are publicly accessible. This vulnerability is categorized under CWE-522, which refers to insufficient protection of credentials. Essentially, authentication identifiers that should be confidential are instead openly available, allowing any user or attacker to retrieve them without authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality and integrity (C:L/I:L) but not availability (A:N). The exposure of these identifiers could enable unauthorized access to charging stations, potentially allowing attackers to manipulate charging sessions, cause billing fraud, or disrupt service integrity. Although no known exploits are currently reported in the wild, the public availability of sensitive credentials represents a significant security risk. The vulnerability affects all versions of EV2GO's platform, indicating a systemic issue in how authentication data is handled and displayed on mapping services. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps by users and administrators.

The primary impact of CVE-2026-22890 is the compromise of confidentiality and integrity of charging station authentication credentials. Unauthorized access to these identifiers can lead to several adverse outcomes: attackers could initiate unauthorized charging sessions, resulting in financial losses or billing fraud; they might manipulate charging station operations, causing service disruptions or damage to infrastructure; and the integrity of user data and charging records could be undermined. For organizations operating or managing EV2GO charging stations, this vulnerability could erode customer trust and lead to regulatory compliance issues, especially in jurisdictions with strict data protection laws. The exposure of credentials on public mapping platforms increases the attack surface, making it easier for threat actors to identify and target vulnerable stations. While availability is not directly impacted, indirect effects such as operational disruptions could occur if attackers exploit the credentials to interfere with services. The medium CVSS score reflects a balanced risk, but the widespread use of EV2GO in regions with growing electric vehicle infrastructure elevates the potential impact. Organizations worldwide that depend on EV2GO's platform for charging station management must consider this vulnerability seriously to prevent unauthorized access and maintain service reliability.

To mitigate CVE-2026-22890 effectively, organizations should implement several targeted measures beyond generic advice: 1) Immediately audit and restrict access to authentication identifiers on all web-based mapping platforms, ensuring these credentials are not publicly exposed or indexed by search engines. 2) Implement strong access controls and encryption for authentication data both at rest and in transit, preventing unauthorized retrieval or interception. 3) Coordinate with EV2GO to obtain patches or updates that address the root cause of credential exposure as soon as they become available. 4) Employ network segmentation and monitoring around charging station infrastructure to detect and block unauthorized access attempts using exposed credentials. 5) Regularly rotate authentication identifiers and credentials to limit the window of opportunity for attackers exploiting leaked data. 6) Educate staff and users about the risks associated with credential exposure and encourage reporting of suspicious activity. 7) Use anomaly detection systems to identify unusual charging patterns or access that may indicate exploitation of this vulnerability. 8) Engage with mapping platform providers to remove or restrict sensitive data visibility related to charging stations. These steps collectively reduce the risk of exploitation and help maintain the confidentiality and integrity of charging station operations.