CVE-2026-22093
Received
Received - Intake
EVbee Service Android App TLS Certificate Validation Bypass
Vulnerability report for CVE-2026-22093, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-13
Last updated on: 2026-07-13
Assigner: Dutch Institute for Vulnerability Disclosure
Description
Description
The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.
This issue affects EVbee Service: v1.4.101.00.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| evbee_service | evbee_service | 1.4.101.00 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |