DIVD-2026-00001 - DIVD-2026-00001 – EVbee Service App and DC Quick Charging Station
| Our reference | DIVD-2026-00001 |
| Case lead | Wilco van Beijnum (ElaadNL) |
| Author | Jeroen van der Ham-de Vos |
| Researcher(s) |
|
| CVE(s) | |
| Versions | EVbee Service App prior to 1.4.710, DC Quick Charger Firmware prior to V1.5.1 |
| Patch status | Available |
| Status | Open |
| Last modified | 10 Jul 2026 13:00 CEST |
Summary
One vulnerabilties has been found in the EVbee Service App, and several have been found in the DC Quick Charging station firmware by ElaadNL. ElaadNL has worked with EVbee to resolve these vulnerabiltiies and has requested help from DIVD for CVE registration.
Vulnerability details
- CVE-2026-22093 — Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app
- CVE-2026-22095 — Command injection in diagnosis web endpoint
- CVE-2026-22096 — Missing authentication for webserver endpoints
- CVE-2026-22097 — Missing firmware validation allows remote code execution
- CVE-2026-22098 — Sensitive information is written to logs
- CVE-2026-22099 — Missing authentication for Bluetooth communication
- CVE-2026-22100 — Comnand injection in OCPP ReserveLogin message
- CVE-2026-22102 — Arbitrary file overwrite through certificate update functionality
- CVE-2026-22103 — Command injection in NPC start web endpoint
What you can do
We strongly advise users to update their Service App and ensure that the DC Quick Charging Station has connectivity to update the firmware.
Timeline
| Date | Description |
|---|---|
| 05 Jan 2026 | Initial disclosure from Elaad to EVbee, support from DIVD for CVE Registration |
| 10 Jul 2026 | Publication of initial batch of vulnerabilities. |
gantt
title DIVD-2026-00001 - DIVD-2026-00001 – EVbee Service App and DC Quick Charging Station
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2026-00001 - DIVD-2026-00001 – EVbee Service App and DC Quick Charging Station (still open) :2026-01-05, 2026-07-19
section Events
Initial disclosure from Elaad to EVbee, support from DIVD for CVE Registration : milestone, 2026-01-05, 0d
Publication of initial batch of vulnerabilities. : milestone, 2026-07-10, 0d
More Information
- CVE-2026-22093
- CVE-2026-22094
- CVE-2026-22095
- CVE-2026-22096
- CVE-2026-22097
- CVE-2026-22098
- CVE-2026-22099
- CVE-2026-22100
- CVE-2026-22101
- CVE-2026-22102
- CVE-2026-22103