CVE-2026-26051 is a critical security vulnerability identified in all versions of Mobiliti's e-mobi.hu product, which manages electric vehicle charging stations via OCPP (Open Charge Point Protocol) over WebSocket connections. The core issue stems from the absence of proper authentication mechanisms on the WebSocket endpoints. This lack of authentication allows an unauthenticated attacker to connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier, effectively impersonating that station. Once connected, the attacker can issue OCPP commands or receive commands and data as if they were the legitimate charging station. This unauthorized access can lead to privilege escalation within the charging infrastructure, enabling attackers to manipulate charging operations, disrupt service, or corrupt data reported to the backend management systems. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS v3.1 base score of 9.4, reflecting its critical severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality and integrity to a high degree, with some impact on availability. Despite no known exploits in the wild at the time of publication, the vulnerability poses a significant risk to the security and reliability of electric vehicle charging networks that rely on this product. The absence of authentication on critical communication channels violates fundamental security principles and exposes the charging infrastructure to potential sabotage, data manipulation, and unauthorized control.

The impact of CVE-2026-26051 is substantial for organizations operating electric vehicle charging infrastructure using Mobiliti's e-mobi.hu platform. Unauthorized access to the OCPP WebSocket endpoint can lead to attackers impersonating legitimate charging stations, which compromises the confidentiality and integrity of charging session data and control commands. This can result in unauthorized manipulation of charging operations, including starting, stopping, or altering charging sessions, potentially causing financial losses, operational disruptions, and damage to the charging hardware. Corruption of data sent to backend systems can undermine billing accuracy, reporting, and monitoring, affecting business operations and customer trust. Additionally, attackers could escalate privileges within the network, potentially moving laterally to other systems or causing broader infrastructure disruptions. Given the critical role of electric vehicle charging networks in transportation and energy sectors, such attacks could have cascading effects on public infrastructure reliability and safety. The vulnerability's ease of exploitation and lack of required authentication make it a high-risk threat globally, especially as EV adoption grows and charging networks expand.

To mitigate CVE-2026-26051, organizations should implement robust authentication mechanisms on all WebSocket endpoints used for OCPP communication. This includes enforcing mutual TLS authentication or token-based authentication schemes to verify the identity of charging stations before allowing connections. Network segmentation should be applied to isolate charging infrastructure from other critical systems, limiting the attack surface. Monitoring and logging of WebSocket connections and OCPP command traffic should be enhanced to detect anomalous or unauthorized activity promptly. Organizations should work with Mobiliti to obtain patches or updates that address this vulnerability once available. In the absence of official patches, deploying Web Application Firewalls (WAFs) or network-level access controls to restrict connections to trusted IP addresses or networks can reduce exposure. Regular security assessments and penetration testing focused on the charging infrastructure can help identify similar weaknesses. Finally, educating operational staff about the risks and signs of compromise can improve incident response readiness.