CVE-2026-26051 is a critical security vulnerability identified in the Mobiliti e-mobi.hu product affecting all versions. The core issue is the absence of proper authentication mechanisms on the WebSocket endpoints that handle OCPP (Open Charge Point Protocol) communications between charging stations and backend systems. Because these endpoints do not require authentication, an attacker can connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier, effectively impersonating that station. This unauthorized access allows the attacker to issue commands or receive data as if they were the legitimate charger, enabling privilege escalation and unauthorized control over the charging infrastructure. The attacker can manipulate charging operations, disrupt services, or corrupt the data reported to the backend, which could impact billing, usage statistics, and operational monitoring. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS 3.1 base score of 9.4, reflecting its critical nature with high confidentiality and integrity impacts, low attack complexity, no privileges or user interaction required, and a broad scope of affected systems. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk to organizations relying on Mobiliti's charging solutions, especially those managing large EV charging networks.

The potential impact of CVE-2026-26051 is severe for organizations operating electric vehicle charging infrastructure using Mobiliti e-mobi.hu. Unauthorized station impersonation can lead to privilege escalation, allowing attackers to control charging sessions, disrupt service availability, and manipulate or corrupt data sent to backend systems. This can result in financial losses due to incorrect billing or fraudulent charging, operational disruptions affecting EV users, and damage to the reputation of service providers. The integrity of usage data and network telemetry can be compromised, undermining trust in the charging network. Additionally, attackers could potentially use the compromised infrastructure as a foothold for further attacks within the organization’s network. Given the critical role of EV charging infrastructure in transportation and energy sectors, this vulnerability poses risks to both private companies and public utilities, potentially affecting national energy management and smart grid operations.

To mitigate CVE-2026-26051, organizations should immediately implement strong authentication mechanisms on all WebSocket endpoints handling OCPP communications. This includes enforcing mutual TLS authentication or token-based authentication to ensure only authorized charging stations can connect. Network segmentation should be applied to isolate charging infrastructure from other critical systems. Monitoring and anomaly detection systems should be deployed to identify unusual station identifiers or unexpected command patterns indicative of impersonation attempts. Regular audits of charging station identifiers and access logs can help detect unauthorized access. Vendors should be engaged to provide patches or updates that address the authentication deficiency. Until patches are available, organizations may consider deploying Web Application Firewalls (WAFs) or reverse proxies that enforce authentication and validate station identities. Additionally, educating operational staff about this vulnerability and establishing incident response plans specific to charging infrastructure compromise will enhance preparedness.