CVE-2026-50176
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| EVoke | EVoke CSMS | All versions | affected |
Weaknesses
- CWE-307: CWE-307
Workarounds
EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers. EVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review. EVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns. EVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://evokesystems.com/contact-us/
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-02.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.