CVE-2026-31903 identifies a security weakness in the WebSocket Application Programming Interface of IGL-Technologies' eParking.fi platform, which is used for managing electric vehicle charging infrastructure. The core issue is the absence of restrictions or rate limiting on the number of authentication requests that can be sent via the WebSocket API. This lack of control allows an attacker to flood the system with authentication attempts, potentially causing denial-of-service conditions by suppressing or mis-routing legitimate charger telemetry data. Additionally, the unrestricted authentication attempts enable brute-force attacks aimed at gaining unauthorized access to the system. Since the vulnerability requires no prior authentication and no user interaction, it can be exploited remotely over the network with low complexity. The vulnerability affects all versions of eParking.fi, indicating a systemic design flaw. The CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) highlights that while confidentiality and integrity are not directly impacted, the availability of the system is severely affected. The absence of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation measures. The vulnerability is tracked under CWE-307, which relates to improper restriction of excessive authentication attempts, a common vector for DoS and brute-force attacks.

The primary impact of CVE-2026-31903 is on the availability of the eParking.fi system, which could lead to denial-of-service conditions affecting electric vehicle charging infrastructure telemetry. Disruption or mis-routing of telemetry data can impair operational monitoring and management of charging stations, potentially causing service outages or degraded performance. Additionally, the possibility of brute-force attacks to gain unauthorized access threatens system integrity and could lead to unauthorized control or manipulation of charging infrastructure. For organizations managing large fleets or public charging networks, this could result in significant operational disruptions, financial losses, and reputational damage. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of widespread attacks. Although no known exploits are currently reported, the potential for automated attacks exploiting this flaw is high, especially as electric vehicle infrastructure becomes more critical globally.

To mitigate CVE-2026-31903, organizations should implement strict rate limiting on authentication requests at the WebSocket API level to prevent excessive or automated attempts. Deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and throttling abnormal authentication traffic can provide an immediate protective layer. Monitoring and alerting on unusual authentication patterns or spikes in WebSocket traffic will help detect ongoing attacks early. Employing multi-factor authentication (MFA) where possible can reduce the risk of successful brute-force attacks. Network segmentation and limiting exposure of the WebSocket API to trusted networks or VPNs can reduce the attack surface. Until an official patch is released by IGL-Technologies, organizations should coordinate with the vendor for updates and consider temporary compensating controls such as disabling WebSocket access if feasible. Regular security assessments and penetration testing focused on authentication mechanisms are recommended to identify and remediate similar issues proactively.