CVE-2026-27647

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27647

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

T

he WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

References
Link Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 Third Party Advisory VDB Entry
https://www.mobility46.se/en/contact-us Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:mobility46:mobility46.se:*:*:*:*:*:*:*:*
History

02 Mar 2026, 18:22

Type Values Removed Values Added
First Time Mobility46 mobility46.se
Mobility46
CPE cpe:2.3:a:mobility46:mobility46.se:*:*:*:*:*:*:*:*
References () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json - () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json - Third Party Advisory
References () https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 - () https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 - Third Party Advisory, VDB Entry
References () https://www.mobility46.se/en/contact-us - () https://www.mobility46.se/en/contact-us - Product

27 Feb 2026, 14:06

Type Values Removed Values Added
Summary
  • (es) El backend de WebSocket utiliza identificadores de estaciones de carga para asociar sesiones de forma única, pero permite que múltiples puntos finales se conecten utilizando el mismo identificador de sesión. Esta implementación resulta en identificadores de sesión predecibles y permite el secuestro o la suplantación de sesión, donde la conexión más reciente desplaza a la estación de carga legítima y recibe comandos del backend destinados a esa estación. Esta vulnerabilidad puede permitir a usuarios no autorizados autenticarse como otros usuarios o permitir que un actor malicioso cause una condición de denegación de servicio al sobrecargar el backend con solicitudes de sesión válidas.

27 Feb 2026, 01:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-27 01:16

Updated : 2026-03-05 21:16

NVD link : CVE-2026-27647

Mitre link : CVE-2026-27647

CVE.ORG link : CVE-2026-27647

JSON object : View

Products Affected

mobility46

CWE
CWE-613

Insufficient Session Expiration