CVE-2026-25711

Name of the Vulnerable Software and Affected Versions Versions prior to the fixed version (affected versions not specified)

Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This results in predictable session identifiers, enabling session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests. The affected API endpoints utilize charging station identifiers for session association. The vulnerability stems from the predictable nature of session identifiers, allowing an attacker to connect with a valid identifier and potentially displace a legitimate session.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.