CVE-2026-26290 is a vulnerability identified in the ev.energy product by EV Energy, impacting all versions. The root cause lies in the WebSocket backend implementation, which uses charging station identifiers as session identifiers to associate sessions uniquely. However, these session identifiers are predictable and do not enforce uniqueness per connection, allowing multiple endpoints to connect simultaneously using the same session ID. This design flaw leads to session hijacking or session shadowing attacks, where a malicious actor can connect using the same session ID as a legitimate charging station, effectively displacing the legitimate connection. Consequently, the attacker can receive backend commands intended for the legitimate station, potentially manipulating charging operations or gaining unauthorized access. Additionally, the vulnerability enables denial-of-service (DoS) conditions by allowing attackers to flood the backend with valid session requests, overwhelming system resources. The CVSS 3.1 base score is 7.3, reflecting high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability poses significant risks due to the critical role of EV charging infrastructure and the ease of exploitation.

The vulnerability can have severe consequences for organizations relying on ev.energy for electric vehicle charging management. Unauthorized session hijacking can lead to attackers impersonating legitimate charging stations, potentially manipulating charging sessions, disrupting billing, or causing operational confusion. This compromises the integrity and confidentiality of charging data and control commands. The ability to displace legitimate connections can also result in denial-of-service conditions, affecting availability and potentially causing widespread disruption in EV charging services. Given the increasing reliance on EV infrastructure in transportation and energy sectors, such disruptions could impact fleet operations, public charging networks, and energy management systems. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the risk of automated or large-scale attacks. Organizations may face reputational damage, financial losses, and regulatory scrutiny if these vulnerabilities are exploited.

To mitigate CVE-2026-26290, organizations should implement the following specific measures: 1) Enforce unique session identifiers per connection and implement robust session management to prevent multiple simultaneous connections using the same session ID. 2) Introduce cryptographically secure, unpredictable session tokens instead of predictable charging station identifiers to prevent session hijacking. 3) Implement backend validation to detect and block duplicate or conflicting session connections. 4) Rate-limit WebSocket connection attempts to mitigate denial-of-service risks from session flooding. 5) Employ mutual authentication mechanisms between charging stations and backend services to ensure only authorized devices can establish sessions. 6) Monitor WebSocket traffic for anomalous patterns indicative of session hijacking or DoS attempts. 7) Coordinate with EV Energy for official patches or updates once available and apply them promptly. 8) Consider network segmentation and firewall rules to restrict access to backend WebSocket endpoints to trusted sources only. These targeted actions go beyond generic advice by focusing on session management, authentication, and traffic control specific to the ev.energy WebSocket backend architecture.