CVE-2026-31903 identifies a vulnerability in the WebSocket API of IGL-Technologies' eParking.fi product, which is used for managing electric vehicle charging infrastructure. The core issue is the absence of restrictions on the number of authentication requests that can be made via the WebSocket interface. This lack of rate limiting allows attackers to flood the system with authentication attempts, leading to two primary attack vectors: denial-of-service (DoS) and brute-force attacks. In a DoS scenario, attackers can suppress or mis-route legitimate telemetry data from charging stations, disrupting normal operations and potentially causing outages or degraded service. Alternatively, attackers can attempt brute-force authentication to gain unauthorized access to the system, potentially compromising control over charging infrastructure. The vulnerability is remotely exploitable without requiring prior authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.5 reflects high severity, primarily due to the impact on availability and the ease of exploitation over the network. Although no public exploits have been reported yet, the vulnerability affects all versions of eParking.fi, indicating a broad attack surface. The CWE-307 classification highlights the failure to implement proper access control mechanisms, specifically rate limiting, which is a fundamental security control for authentication endpoints. Given the critical role of EV charging infrastructure in modern transportation and energy management, exploitation could have significant operational consequences.

The primary impact of CVE-2026-31903 is on the availability of the eParking.fi service, as attackers can launch denial-of-service attacks by overwhelming the WebSocket API with authentication requests. This can disrupt the telemetry data flow from charging stations, leading to mismanagement or outages of EV charging services. Additionally, the vulnerability facilitates brute-force attacks that could lead to unauthorized access, potentially compromising the integrity and control of charging infrastructure. Such unauthorized access could allow attackers to manipulate charging sessions, cause financial losses, or damage the reputation of service providers. The disruption of EV charging services can have cascading effects on transportation networks, especially in regions with high EV adoption. Organizations worldwide that depend on eParking.fi for managing EV charging infrastructure face risks of service interruptions and security breaches. The lack of authentication or user interaction requirements makes the attack easier to execute remotely, increasing the threat's reach and potential impact.

To mitigate CVE-2026-31903 effectively, organizations should implement strict rate limiting on the WebSocket API authentication requests to prevent abuse. This can be achieved by configuring application-level controls or deploying Web Application Firewalls (WAFs) that monitor and throttle excessive authentication attempts. Additionally, implementing account lockout policies or progressive delays after failed authentication attempts can reduce brute-force risks. Monitoring and logging authentication request patterns will help detect anomalous activity early. Network-level protections such as IP reputation filtering and geo-blocking may further reduce exposure. Organizations should also engage with IGL-Technologies to obtain and apply any forthcoming patches or updates addressing this vulnerability. Where possible, deploying multi-factor authentication (MFA) for access to the management interfaces can add an additional security layer. Finally, conducting regular security assessments and penetration testing on the eParking.fi deployment will help identify and remediate related weaknesses proactively.