CVE-2026-31926 is a vulnerability classified under CWE-522, which pertains to insufficiently protected authentication credentials. In this case, the authentication identifiers used by charging stations managed through IGL-Technologies' eParking.fi platform are publicly accessible via web-based mapping platforms. This exposure means that anyone can retrieve these identifiers without authentication or user interaction, as the vulnerability is remotely exploitable over the network. The identifiers likely serve as credentials or tokens that authenticate charging stations or users within the eParking.fi ecosystem. Their public availability could allow attackers to impersonate legitimate charging stations, potentially enabling unauthorized access to charging services, manipulation of billing, or disruption of service integrity. The vulnerability affects all versions of the product, indicating a systemic design or implementation flaw. The CVSS v3.1 base score of 6.5 reflects a medium severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and limited confidentiality and integrity impact without availability impact. No patches or mitigations have been officially released yet, and no exploits have been observed in the wild. The vulnerability was reserved and published in March 2026 by ICS-CERT, highlighting its relevance to industrial control or critical infrastructure sectors.

The exposure of charging station authentication identifiers can have several impacts on organizations worldwide. Confidentiality is compromised as sensitive credentials are publicly accessible, potentially allowing unauthorized parties to gather intelligence on infrastructure or user credentials. Integrity is at risk because attackers could impersonate legitimate charging stations or users, leading to fraudulent use of charging services, manipulation of billing data, or unauthorized access to the charging network. Although availability is not directly affected, indirect impacts such as service disruption through unauthorized access or manipulation cannot be ruled out. For organizations operating electric vehicle charging infrastructure, this could result in financial losses, reputational damage, and erosion of customer trust. Additionally, attackers could leverage this information to facilitate further attacks on connected systems or escalate privileges within the network. The lack of authentication or user interaction needed for exploitation increases the risk profile, as attackers can remotely access the identifiers without sophisticated techniques. The vulnerability's presence in all versions of eParking.fi suggests widespread exposure, potentially affecting numerous deployments globally.

Given the absence of official patches, organizations should implement compensating controls immediately. First, restrict access to web-based mapping platforms or interfaces that expose authentication identifiers by implementing strict access controls, network segmentation, and firewall rules limiting external visibility. Employ monitoring and anomaly detection to identify unusual access patterns or attempts to use exposed identifiers. Consider obfuscating or rotating authentication identifiers where possible to reduce the window of exposure. Engage with IGL-Technologies to obtain guidance or early patches and apply them promptly once available. Additionally, implement multi-factor authentication and robust logging on charging station management systems to detect and prevent unauthorized access. Educate staff and users about the risks of publicly exposed credentials and encourage reporting of suspicious activity. Finally, conduct regular security assessments and penetration testing focused on authentication mechanisms to identify and remediate similar vulnerabilities proactively.