The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26051

CVE-2026-26051: WebSocket Auth Bypass Vulnerability

CVE-2026-26051 is an authentication bypass flaw in WebSocket endpoints that allows attackers to impersonate charging stations and manipulate OCPP commands. This article covers technical details, impact, and mitigation.

Published: March 13, 2026

CVE-2026-26051 Overview

CVE-2026-26051 is a critical authentication bypass vulnerability affecting WebSocket endpoints in electric vehicle (EV) charging infrastructure. The vulnerability stems from missing authentication mechanisms on OCPP (Open Charge Point Protocol) WebSocket endpoints, which allows unauthenticated attackers to impersonate legitimate charging stations and manipulate backend communications.

An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Critical Impact

Unauthenticated remote attackers can impersonate charging stations over the network, potentially compromising entire EV charging networks and manipulating critical infrastructure data.

Affected Products

  • OCPP-based EV Charging Management Systems
  • Electric Vehicle Charging Station Backend Services
  • WebSocket-enabled Charging Infrastructure Components

Discovery Timeline

  • March 6, 2026 - CVE-2026-26051 published to NVD
  • March 9, 2026 - Last updated in NVD database

Technical Details for CVE-2026-26051

Vulnerability Analysis

This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The OCPP WebSocket endpoints fail to implement proper authentication mechanisms, creating a significant security gap in EV charging infrastructure. The vulnerability is remotely exploitable with low attack complexity and requires no user interaction or prior privileges, making it highly accessible to potential attackers.

The impact is substantial across confidentiality and integrity dimensions—attackers can both read sensitive charging station data and inject malicious commands into the backend system. While availability impact is lower, the potential for data corruption and unauthorized infrastructure control represents a severe risk to critical infrastructure operations.

Root Cause

The root cause of CVE-2026-26051 is the complete absence of authentication mechanisms on WebSocket endpoints used for OCPP communications. The system accepts connections from any client that presents a valid charging station identifier without verifying the identity of the connecting entity. This design flaw violates fundamental security principles for critical infrastructure systems, where strong mutual authentication should be mandatory.

Attack Vector

The attack vector operates over the network, allowing remote exploitation without physical access to the charging infrastructure. An attacker can exploit this vulnerability through the following sequence:

  1. Discover or enumerate valid charging station identifiers through reconnaissance
  2. Establish a WebSocket connection to the OCPP endpoint using a target station's identifier
  3. Send OCPP commands as the impersonated charging station
  4. Receive backend responses and commands intended for the legitimate station
  5. Manipulate charging session data, billing information, or infrastructure status reports

The attack requires no authentication credentials, special privileges, or user interaction, making it trivially exploitable once an attacker identifies the WebSocket endpoint and valid station identifiers. Attackers could potentially disrupt charging operations, manipulate energy consumption data, or use the compromised position to pivot deeper into the charging network's infrastructure.

Detection Methods for CVE-2026-26051

Indicators of Compromise

  • Multiple WebSocket connections originating from the same charging station identifier but different source IP addresses
  • Unusual geographic patterns in connection origins that don't match physical station locations
  • Anomalous OCPP command sequences or timing patterns that deviate from normal charger behavior
  • Conflicting status reports or charging session data for the same station identifier

Detection Strategies

  • Implement WebSocket connection logging with correlation analysis to detect duplicate station identifier usage
  • Deploy network intrusion detection rules to identify OCPP traffic anomalies and unauthorized connection attempts
  • Monitor for rapid connection attempts to OCPP endpoints from unexpected network ranges
  • Establish baseline behavioral profiles for charging stations and alert on deviations

Monitoring Recommendations

  • Enable detailed audit logging for all OCPP WebSocket connections including source IP, timestamp, and station identifier
  • Implement real-time alerting for multiple concurrent sessions using the same station identifier
  • Monitor backend data integrity for inconsistencies that may indicate impersonation attacks
  • Review network traffic patterns to OCPP endpoints for reconnaissance or enumeration activity

How to Mitigate CVE-2026-26051

Immediate Actions Required

  • Implement strong mutual authentication (TLS client certificates) for all OCPP WebSocket connections
  • Deploy network segmentation to restrict access to OCPP endpoints from untrusted networks
  • Enable IP allowlisting for known charging station IP addresses where feasible
  • Conduct an audit of existing station identifiers to ensure uniqueness and prevent enumeration

Patch Information

Organizations should consult the CISA ICS Advisory ICSA-26-062-06 for official guidance and remediation recommendations. Additionally, affected organizations can review the GitHub CSAF JSON File for detailed vulnerability information in machine-readable format. Users of Mobiliti systems should contact Mobiliti Customer Support for vendor-specific patches and updates.

Workarounds

  • Place OCPP WebSocket endpoints behind a VPN or private network to limit exposure
  • Implement application-layer authentication checks at the backend to validate station identity
  • Deploy a Web Application Firewall (WAF) with custom rules to detect and block suspicious OCPP traffic
  • Use station-specific authentication tokens until proper certificate-based authentication can be implemented
bash
# Example: Restrict OCPP WebSocket access to known station IP ranges using iptables
iptables -A INPUT -p tcp --dport 9000 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -s 10.20.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechOcpp
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.12%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-306
  • Technical References
  • GitHub CSAF JSON File
  • Mobiliti Customer Support Page
  • CISA ICS Advisory ICSA-26-062-06
  • Related CVEs
  • CVE-2026-29796: WebSocket OCPP Auth Bypass Vulnerability
  • CVE-2026-25192: WebSocket OCPP Auth Bypass Vulnerability
  • CVE-2026-26288: WebSocket Auth Bypass Vulnerability
  • CVE-2026-22552: WebSocket OCPP Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English