CVE-2026-27652 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the CloudCharge cloudcharge.se platform. The root cause lies in the WebSocket backend's session management design, where charging station identifiers are used as unique session identifiers. However, the system allows multiple endpoints to connect simultaneously using the same session ID, which is predictable. This design flaw enables an attacker to hijack or shadow sessions by establishing a new connection with the same session identifier, effectively displacing the legitimate charging station. Consequently, the attacker can receive backend commands intended for the legitimate device, potentially leading to unauthorized authentication as other users or manipulation of charging station operations. Additionally, the vulnerability can be exploited to launch denial-of-service attacks by overwhelming the backend with numerous valid session requests, disrupting service availability. The vulnerability has a CVSS v3.1 base score of 7.3, indicating high severity, with attack vector being network-based, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. All versions of the product are affected, and no patches or fixes have been published yet. The vulnerability was publicly disclosed on February 26, 2026, and no known exploits have been reported in the wild as of now.

The vulnerability allows attackers to hijack or shadow legitimate charging station sessions, leading to unauthorized access to backend commands and potentially impersonating legitimate devices or users. This compromises confidentiality by exposing session data and control commands, integrity by allowing manipulation of charging station operations, and availability by enabling denial-of-service attacks through session flooding. For organizations relying on CloudCharge's platform to manage electric vehicle charging infrastructure, this could result in operational disruptions, unauthorized control over charging stations, and potential safety risks. The ability to displace legitimate devices could also undermine trust in the system's reliability and security. Given the network-based attack vector and lack of required authentication, the threat can be exploited remotely and at scale, increasing the risk of widespread impact on critical infrastructure and service continuity.

To mitigate this vulnerability, CloudCharge should implement robust session management practices, including generating cryptographically secure, unpredictable session identifiers that are unique per connection and cannot be reused or guessed. The backend should enforce strict one-to-one mapping between session identifiers and charging stations, preventing multiple simultaneous connections with the same session ID. Implementing session expiration and re-authentication mechanisms can reduce the risk of session hijacking. Rate limiting and anomaly detection should be applied to prevent denial-of-service attacks caused by session flooding. Organizations using the platform should monitor network traffic for unusual session activity and restrict access to the WebSocket backend through network segmentation and firewall rules. Until a patch is available, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious session reuse attempts can provide interim protection. Regular security assessments and coordination with CloudCharge for timely updates are essential to address this vulnerability effectively.