CVE-2026-29796 is a critical security vulnerability identified in the eParking.fi product by IGL-Technologies, affecting all versions of the software. The root cause is the absence of authentication mechanisms on WebSocket endpoints that handle OCPP communications between charging stations and the backend system. OCPP is a protocol widely used for managing electric vehicle charging stations. Due to the lack of authentication, an attacker can connect to the WebSocket endpoint by using a known or discovered charging station identifier, effectively impersonating that station. This unauthorized access allows the attacker to send or receive OCPP commands as if they were the legitimate charger, leading to privilege escalation and unauthorized control over the charging infrastructure. The attacker can manipulate charging sessions, disrupt operations, and corrupt data reported to the backend, potentially impacting billing, usage statistics, and operational monitoring. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), emphasizing the failure to enforce authentication on critical communication channels. The CVSS v3.1 score of 9.4 indicates a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity, with some impact on availability. Despite the severity, no patches or mitigations have been published yet, and no known exploits have been observed in the wild. This vulnerability poses a significant threat to organizations relying on eParking.fi for managing EV charging infrastructure.

The impact of CVE-2026-29796 is substantial for organizations operating electric vehicle charging networks using eParking.fi. Unauthorized attackers can impersonate legitimate charging stations, gaining control over charging sessions, potentially causing financial losses through fraudulent charging or denial of service by disrupting charging availability. The integrity of charging data, such as usage logs and billing information, can be compromised, leading to inaccurate reporting and potential disputes. Confidentiality is also at risk, as attackers may intercept or manipulate sensitive operational data. The disruption of charging infrastructure can affect customer trust and operational continuity, especially for public or commercial charging networks. Additionally, attackers could leverage this access to pivot within the network, escalating privileges or launching further attacks on backend systems. The lack of authentication on critical communication channels represents a severe security gap that could be exploited at scale, affecting multiple stations and users simultaneously.

Given the absence of official patches, organizations should implement compensating controls immediately. First, restrict network access to the WebSocket endpoints by implementing network segmentation and firewall rules to allow connections only from trusted charging stations or management systems. Employ VPNs or secure tunnels to protect communications between charging stations and backend systems. Monitor network traffic for anomalous connections or unexpected OCPP commands indicative of impersonation attempts. Implement strong logging and alerting on WebSocket connections to detect unauthorized access. Where possible, deploy application-layer proxies or gateways that enforce authentication and authorization before forwarding OCPP commands to the backend. Engage with IGL-Technologies for updates and patches, and plan for rapid deployment once available. Additionally, conduct regular security assessments of the charging infrastructure and update incident response plans to address potential exploitation of this vulnerability.