CVE-2026-26305: CWE-307 in Mobility46 mobility46.se
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-26305 affects all versions of Mobility46's mobility46.se product. It is caused by the WebSocket API not enforcing restrictions on the number of authentication requests, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). This absence of rate limiting can be exploited to perform denial-of-service attacks that suppress or mis-route legitimate telemetry data from chargers or to conduct brute-force attacks aimed at unauthorized access. The CVSS v3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, no user interaction, and an impact limited to availability (denial of service). No patches or fixes have been documented, and the product is not a cloud service, so remediation depends on vendor action.
Potential Impact
The impact of this vulnerability is primarily denial of service, which can disrupt legitimate charger telemetry by suppressing or mis-routing data. Additionally, the lack of rate limiting may allow brute-force attacks to attempt unauthorized access. There is no reported confidentiality or integrity impact. The vulnerability could affect availability of the service, potentially impacting operational continuity of charging infrastructure relying on this product.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently documented, users should monitor vendor communications for updates. Until a patch is available, consider implementing external rate limiting or network-level controls to mitigate excessive authentication attempts if feasible. Avoid relying solely on the vulnerable WebSocket API for critical authentication without additional protective measures.
CVE-2026-26305: CWE-307 in Mobility46 mobility46.se
Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-26305 affects all versions of Mobility46's mobility46.se product. It is caused by the WebSocket API not enforcing restrictions on the number of authentication requests, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). This absence of rate limiting can be exploited to perform denial-of-service attacks that suppress or mis-route legitimate telemetry data from chargers or to conduct brute-force attacks aimed at unauthorized access. The CVSS v3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, no user interaction, and an impact limited to availability (denial of service). No patches or fixes have been documented, and the product is not a cloud service, so remediation depends on vendor action.
Potential Impact
The impact of this vulnerability is primarily denial of service, which can disrupt legitimate charger telemetry by suppressing or mis-routing data. Additionally, the lack of rate limiting may allow brute-force attacks to attempt unauthorized access. There is no reported confidentiality or integrity impact. The vulnerability could affect availability of the service, potentially impacting operational continuity of charging infrastructure relying on this product.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently documented, users should monitor vendor communications for updates. Until a patch is available, consider implementing external rate limiting or network-level controls to mitigate excessive authentication attempts if feasible. Avoid relying solely on the vulnerable WebSocket API for critical authentication without additional protective measures.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- icscert
- Date Reserved
- 2026-02-24T00:35:18.457Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a0ebae32ffcdb8a293f32c
Added to database: 2/27/2026, 12:56:14 AM
Last enriched: 4/9/2026, 10:11:31 PM
Last updated: 4/12/2026, 11:45:39 PM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.