CVE-2026-42952 PUBLISHED

Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts

Assigner: icscert
Reserved: 07.05.2026 Published: 10.07.2026 Updated: 10.07.2026

Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Hydro-Québec
Product Le Circuit Electrique charging station backend
Versions Default: unaffected
  • affected from 0 to June_2026 (excl.)

Solutions

Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of exploitation. Hydro-Québec has also implemented authentication systems to mitigate the issue for certain charging stations which are still reliant on OCPP. Contact Hydro-Québec with any additional questions.

Credits

  • An anonymous researcher reported this vulnerability to CISA finder

References

Problem Types

  • CWE-307 CWE