CVE-2026-22099

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.

Credits

Wilco van Beijnum (ElaadNL)
Jeroen van der Ham-de Vos (DIVD)

References