CVE-2026-26288 is a critical security vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting all versions of Everon's api.everon.io platform. The vulnerability arises because the WebSocket endpoints that facilitate OCPP communication between charging stations and the backend do not enforce any authentication mechanisms. This design flaw allows an unauthenticated attacker to connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier, effectively impersonating that station. Once connected, the attacker can issue OCPP commands or receive commands and data as if they were the legitimate charger. This unauthorized access can lead to privilege escalation, enabling attackers to control charging operations, disrupt service availability, manipulate charging schedules, or corrupt the data reported to the backend systems. The vulnerability impacts confidentiality by exposing sensitive operational data, integrity by allowing unauthorized command injection and data manipulation, and availability by potentially disrupting charging services. The CVSS v3.1 score of 9.4 reflects the ease of exploitation (no authentication or user interaction required), network attack vector, and high impact on confidentiality and integrity with some impact on availability. Despite the lack of known exploits in the wild, the vulnerability represents a significant risk to electric vehicle charging infrastructure relying on Everon's platform, which is critical for energy and transportation sectors. The absence of patches at the time of publication necessitates immediate risk management and mitigation efforts.

The impact of CVE-2026-26288 is substantial for organizations operating or managing electric vehicle charging infrastructure using Everon's api.everon.io platform. Attackers exploiting this vulnerability can impersonate legitimate charging stations, leading to unauthorized control over charging operations. This can result in unauthorized energy consumption, disruption of charging availability, and manipulation of billing or usage data, potentially causing financial losses and reputational damage. The integrity of the charging network data is compromised, undermining trust in operational metrics and backend analytics. Additionally, attackers could disrupt service availability, affecting end-users and critical transportation infrastructure. Given the increasing reliance on electric vehicle infrastructure globally, this vulnerability poses risks to energy providers, fleet operators, municipalities, and critical infrastructure entities. The lack of authentication also raises concerns about potential lateral movement or escalation within connected systems. While no exploits are currently known in the wild, the vulnerability's ease of exploitation and critical impact make it a high-priority threat that could be leveraged in targeted attacks or broader campaigns against smart grid and transportation systems.

To mitigate CVE-2026-26288, organizations should implement the following specific measures: 1) Immediately restrict network access to the api.everon.io WebSocket endpoints by applying firewall rules or network segmentation to limit connections only to trusted charging stations and management systems. 2) Deploy additional authentication layers at the network perimeter or via reverse proxies that enforce mutual TLS or token-based authentication before allowing WebSocket connections. 3) Monitor WebSocket connection logs for anomalous activity, such as connections from unexpected IP addresses or multiple connections using the same station identifier. 4) Implement anomaly detection on OCPP command patterns to identify unauthorized or suspicious commands indicative of impersonation attempts. 5) Coordinate with Everon for timely patches or updates addressing the authentication flaw and apply them as soon as available. 6) Conduct regular security audits and penetration testing focused on the charging infrastructure communication channels. 7) Educate operational teams on the risks of this vulnerability and establish incident response procedures specific to charging station impersonation scenarios. 8) Consider deploying network-level intrusion detection/prevention systems (IDS/IPS) tuned to detect OCPP protocol misuse. These targeted actions go beyond generic advice by focusing on compensating controls and proactive monitoring until a vendor patch is released.