CVE-2026-22890 identifies a vulnerability in EV2GO's ev2go.io platform, where authentication identifiers for charging stations are exposed publicly via web-based mapping services. This vulnerability is classified under CWE-522, which concerns insufficiently protected credentials. The exposure allows any remote attacker to access sensitive authentication identifiers without requiring privileges or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability affects all versions of the product, indicating a systemic design or configuration flaw. Although no exploits have been reported in the wild, the publicly accessible authentication data could enable attackers to impersonate legitimate users or devices, potentially leading to unauthorized control or manipulation of EV charging stations. This could compromise the confidentiality and integrity of the charging infrastructure, though availability impact is not indicated. The vulnerability was published on February 26, 2026, and has a CVSS v3.1 score of 6.5, categorized as medium severity. The lack of patches or mitigations currently listed suggests that organizations must implement compensating controls to protect their infrastructure. The exposure via web-based mapping platforms suggests that the identifiers are either embedded in publicly accessible APIs or displayed on maps without adequate access restrictions, highlighting a need for improved data handling and access control policies within EV2GO's ecosystem.

The primary impact of CVE-2026-22890 is the exposure of authentication identifiers for EV charging stations, which can lead to unauthorized access or manipulation of these stations. This compromises confidentiality by revealing sensitive credentials and integrity by enabling potential unauthorized commands or configurations. While availability is not directly affected, unauthorized control could indirectly disrupt charging services. For organizations operating EV2GO charging infrastructure, this vulnerability could result in operational disruptions, financial losses, reputational damage, and potential safety risks if charging stations are manipulated maliciously. The exposure also raises privacy concerns for users relying on these stations. Given the increasing adoption of electric vehicles globally, the vulnerability poses a significant risk to critical EV infrastructure, especially in regions with high EV penetration and reliance on EV2GO services. Attackers could leverage this information for targeted attacks, including fraudulent charging sessions or denial of service through indirect means. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat landscape.

To mitigate CVE-2026-22890, organizations should immediately audit and restrict access to authentication identifiers on all web-based mapping platforms and APIs associated with EV2GO services. EV2GO should implement strict access controls, ensuring that sensitive identifiers are never publicly exposed or embedded in publicly accessible resources. Employing tokenization or encryption for authentication data in transit and at rest is critical. Organizations should monitor network traffic and logs for unusual access patterns to charging station credentials. Implementing multi-factor authentication and anomaly detection on charging station management systems can reduce the risk of unauthorized access. EV2GO should prioritize releasing patches or updates that remove or obfuscate authentication identifiers from public interfaces. Additionally, organizations should engage in threat hunting and incident response preparedness specific to EV infrastructure. Collaboration with EV2GO and relevant cybersecurity authorities to share intelligence and coordinate response efforts is recommended. Finally, educating staff and users about the risks associated with exposed credentials can help reduce social engineering or related attack vectors.