CVE-2026-20744
Hydro-Québec · Le Circuit Electrique charging station backend
The Le Circuit Electrique charging station backend contains a websocket authentication bypass vulnerability that could lead to unauthorized privilege escalation.
Executive summary
An unauthenticated websocket endpoint in the Le Circuit Electrique charging station backend allows for unauthorized access and potential privilege escalation.
Vulnerability
The application’s websocket endpoint fails to perform proper authentication (CWE-284), allowing unauthenticated entities to establish connections. This technical oversight enables attackers to escalate privileges within the backend infrastructure.
Business impact
Exploitation of this vulnerability could lead to the unauthorized control of charging infrastructure, resulting in significant operational disruption and public service impacts. The CVSS score of 9.8 reflects the extreme severity of allowing unauthenticated access to critical utility infrastructure.
Remediation
Immediate Action: Ensure the backend system has implemented the vendor-provided mitigations, which include disabling the vulnerable OCPP protocol or applying updated authentication systems as directed by Hydro-Québec.
Proactive Monitoring: Monitor websocket traffic for anomalous connection patterns and review authentication logs for any unauthorized access attempts to the backend management interface.
Compensating Controls: Restrict network access to the backend websocket endpoints to trusted management subnets only, utilizing firewalls or VPNs as a secondary layer of defense.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Given the infrastructure-critical nature of this product, immediate coordination with Hydro-Québec is required to verify that the specific remediation steps (disabling OCPP or enabling mandatory authentication) have been correctly applied to all affected units.