CVE-2026-29796 is a critical security vulnerability identified in all versions of IGL-Technologies' eParking.fi product, which manages electric vehicle (EV) charging infrastructure. The core issue stems from the lack of proper authentication mechanisms on the WebSocket endpoints that handle Open Charge Point Protocol (OCPP) communications between charging stations and the backend system. OCPP is a widely adopted protocol for managing EV charging stations, facilitating commands and status updates. Due to the absence of authentication, an attacker can connect to the WebSocket endpoint using a known or discovered charging station identifier, effectively impersonating that station. This unauthorized access allows the attacker to issue commands or receive data as if they were the legitimate charger, leading to unauthorized control over the charging infrastructure. Potential consequences include privilege escalation within the charging network, manipulation or corruption of charging session data, and disruption of normal operations. The vulnerability is remotely exploitable without any user interaction or prior authentication, increasing the attack surface significantly. Despite no known exploits in the wild at the time of publication, the vulnerability's CVSS 3.1 score of 9.4 (critical) reflects its high impact on confidentiality, integrity, and partial impact on availability. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the fundamental security design flaw. Given the critical role of EV charging infrastructure in transportation and energy sectors, this vulnerability poses a significant risk to organizations relying on eParking.fi for their charging network management.

The impact of CVE-2026-29796 is severe for organizations operating EV charging infrastructure with eParking.fi. Unauthorized station impersonation can lead to complete loss of control over charging stations, allowing attackers to manipulate charging sessions, potentially causing financial losses through fraudulent charging or denial of service. Data integrity is compromised as attackers can alter or corrupt charging data sent to backend systems, affecting billing, usage statistics, and operational monitoring. Confidentiality is also at risk since attackers can intercept or inject OCPP commands, potentially exposing sensitive operational data. The disruption of charging services can affect customer satisfaction and trust, particularly in regions with high EV adoption. Additionally, attackers could leverage this vulnerability to escalate privileges within the network, potentially pivoting to other critical infrastructure components. The lack of authentication and ease of exploitation mean that attackers with minimal technical skill can exploit this vulnerability remotely, increasing the likelihood of attacks. The overall impact extends beyond individual organizations to the broader EV ecosystem, potentially undermining confidence in smart charging infrastructure security.

To mitigate CVE-2026-29796 effectively, organizations should implement strong authentication mechanisms on all WebSocket endpoints handling OCPP communications. This includes enforcing mutual TLS authentication or token-based authentication to verify the identity of charging stations before allowing command exchange. Network segmentation should be employed to isolate charging infrastructure from other critical systems, limiting lateral movement in case of compromise. Monitoring and anomaly detection systems should be configured to identify unusual OCPP traffic patterns, such as unexpected station identifiers or command sequences, enabling rapid incident response. Regular audits of charging station identifiers and access logs can help detect unauthorized access attempts. Vendors should prioritize releasing patches or updates that address this vulnerability by integrating authentication controls natively. Until patches are available, organizations can deploy Web Application Firewalls (WAFs) or reverse proxies to enforce authentication and filter unauthorized WebSocket connections. Employee training on the risks associated with charging infrastructure security and incident response preparedness is also recommended. Finally, organizations should maintain an inventory of all charging stations and their identifiers to detect and respond to impersonation attempts promptly.