CVE-2026-27647

Name of the Vulnerable Software and Affected Versions Charging station software (affected versions not specified)

Description The WebSocket backend associates sessions using charging station identifiers, but allows multiple endpoints to connect with the same session identifier. This results in predictable session identifiers, enabling session hijacking or shadowing. The latest connection replaces the legitimate charging station, receiving backend commands intended for it. This could allow unauthorized authentication or a denial-of-service condition by overwhelming the backend with valid session requests. The vulnerable component uses charging station identifiers to uniquely associate sessions. The API endpoint is susceptible to session hijacking due to predictable session identifiers. The session identifier variable is vulnerable to manipulation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.