CVE-2026-20744 PUBLISHED

Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control

Assigner: icscert
Reserved: 27.01.2026 Published: 10.07.2026 Updated: 10.07.2026

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Hydro-Québec
Product Le Circuit Electrique charging station backend
Versions Default: unaffected
  • affected from 0 to June_2026 (excl.)

Solutions

Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of exploitation. Hydro-Québec has also implemented authentication systems to mitigate the issue for certain charging stations which are still reliant on OCPP. Contact Hydro-Québec with any additional questions.

Credits

  • An anonymous researcher reported this vulnerability to CISA finder

References

Problem Types

  • CWE-284 CWE