CVE-2026-50176
Deferred Deferred - Pending Action

WebSocket API Authentication Rate Limiting Bypass

Vulnerability report for CVE-2026-50176, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
evoke charging_station_management_system *
evoke electric_vehicle_supply_equipment *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists because the WebSocket Application Programming Interface does not limit the number of authentication requests that can be made.

Without restrictions on authentication attempts, an attacker can repeatedly try to authenticate, potentially overwhelming the system or attempting to guess credentials.

Compliance Impact

The vulnerability allows an attacker to perform denial-of-service or brute-force attacks due to lack of rate limiting on authentication requests. This can lead to unauthorized access attempts and service disruption.

Such security weaknesses may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of systems against unauthorized access and ensuring availability and integrity of data.

However, specific effects on compliance are not detailed in the provided information.

Impact Analysis

The lack of rate limiting on authentication requests can allow attackers to perform denial-of-service (DoS) attacks, which can disrupt service availability.

Additionally, attackers may conduct brute-force attacks to gain unauthorized access by repeatedly trying different authentication credentials.

Detection Guidance

Detection of this vulnerability involves monitoring for excessive authentication requests on the WebSocket API, which lacks rate limiting. Network administrators should look for unusual spikes in authentication attempts that could indicate brute-force or denial-of-service attacks.

Specific commands are not provided in the available resources, but general approaches include using network monitoring tools or WebSocket traffic analyzers to identify repeated authentication requests from the same source.

Mitigation Strategies

Immediate mitigation steps include implementing server-side protections such as rate limiting on authentication requests and enforcing single active connections per charger ID.

Additional recommendations are to migrate legacy chargers to stronger security profiles (OCPP Security Profiles 2 or 3), minimize network exposure of vulnerable systems, isolate control systems from other networks, and use secure remote access methods like VPNs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart