{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-40702: EVoke Systems EVoke CSMS Missing Authentication for Critical Function","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-40702","status":"final","version":"1","initial_release_date":"2026-06-25T20:59:53.495Z","current_release_date":"2026-06-25T20:59:53.495Z","revision_history":[{"date":"2026-06-25T20:59:53.495Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-40702 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-40702"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-40702"},{"category":"external","summary":"evokesystems.com","url":"https://evokesystems.com/contact-us/"},{"category":"external","summary":"cisa.gov","url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02"},{"category":"external","summary":"github.com","url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-02.json"}]},"product_tree":{"branches":[{"category":"vendor","name":"EVoke","branches":[{"category":"product_name","name":"EVoke CSMS","branches":[{"category":"product_version","name":"All versions","product":{"name":"EVoke EVoke CSMS All versions","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:evoke:evoke_csms:all_versions:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-40702","title":"EVoke Systems EVoke CSMS Missing Authentication for Critical Function","notes":[{"category":"description","text":"WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}