CVE-2026-44383 PUBLISHED

Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expiration

Assigner: icscert
Reserved: 07.05.2026 Published: 10.07.2026 Updated: 10.07.2026

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Hydro-Québec
Product Le Circuit Electrique charging station backend
Versions Default: unaffected
  • affected from 0 to June_2026 (excl.)

Solutions

Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of exploitation. Hydro-Québec has also implemented authentication systems to mitigate the issue for certain charging stations which are still reliant on OCPP. Contact Hydro-Québec with any additional questions.

Credits

  • An anonymous researcher reported this vulnerability to CISA finder

References

Problem Types

  • CWE-613 CWE