CVE-2026-26288 is a critical authentication bypass vulnerability classified under CWE-306, affecting the Everon api.everon.io platform, specifically its OCPP (Open Charge Point Protocol) WebSocket endpoints. These endpoints do not implement any authentication mechanisms, allowing attackers to connect as if they were legitimate charging stations by simply using a known or discovered station identifier. Once connected, attackers can send or receive OCPP commands, effectively impersonating a charging station. This can lead to unauthorized control over charging operations, including starting or stopping charging sessions, manipulating charging parameters, or corrupting data reported to the backend system. The vulnerability impacts all versions of the Everon platform and is remotely exploitable over the network without requiring any privileges or user interaction. The CVSS v3.1 score of 9.4 reflects the high confidentiality and integrity impact, with a low attack complexity and no authentication required. Although no patches or mitigations have been published yet, the flaw poses a severe risk to the integrity and availability of electric vehicle charging infrastructure managed via Everon's platform.

The vulnerability enables attackers to impersonate legitimate charging stations, leading to unauthorized control over charging infrastructure. This can result in privilege escalation, manipulation of charging sessions, disruption of service availability, and corruption of critical operational data reported to backend systems. Organizations could face operational downtime, financial losses, reputational damage, and potential safety risks if charging stations are manipulated maliciously. The integrity of billing and usage data may also be compromised, affecting revenue and regulatory compliance. Given the increasing reliance on electric vehicle infrastructure, this vulnerability could have widespread implications for utilities, charging network operators, and end users globally.

Organizations should immediately implement network-level access controls to restrict connections to the OCPP WebSocket endpoints to trusted sources only. Employ VPNs or private networks to isolate charging station communications from public internet access. Monitor network traffic for anomalous connections or commands that do not correspond to known station identifiers or expected behavior. Implement application-layer authentication proxies or gateways that enforce authentication before allowing WebSocket connections to the backend. Coordinate with Everon for timely patches or updates once available and plan for rapid deployment. Additionally, maintain an inventory of charging station identifiers and monitor for unauthorized use. Consider deploying anomaly detection systems to identify unusual command patterns indicative of impersonation attempts.