CVE-2026-20744

Hydro-Québec · Le Circuit Electrique charging station backend

The Le Circuit Electrique charging station backend contains a websocket authentication bypass vulnerability that could lead to unauthorized privilege escalation.

Executive summary

An unauthenticated websocket endpoint in the Le Circuit Electrique charging station backend allows for unauthorized access and potential privilege escalation.

Vulnerability

The application’s websocket endpoint fails to perform proper authentication (CWE-284), allowing unauthenticated entities to establish connections. This technical oversight enables attackers to escalate privileges within the backend infrastructure.

Business impact

Exploitation of this vulnerability could lead to the unauthorized control of charging infrastructure, resulting in significant operational disruption and public service impacts. The CVSS score of 9.8 reflects the extreme severity of allowing unauthenticated access to critical utility infrastructure.

Remediation

Immediate Action: Ensure the backend system has implemented the vendor-provided mitigations, which include disabling the vulnerable OCPP protocol or applying updated authentication systems as directed by Hydro-Québec.

Proactive Monitoring: Monitor websocket traffic for anomalous connection patterns and review authentication logs for any unauthorized access attempts to the backend management interface.

Compensating Controls: Restrict network access to the backend websocket endpoints to trusted management subnets only, utilizing firewalls or VPNs as a secondary layer of defense.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the infrastructure-critical nature of this product, immediate coordination with Hydro-Québec is required to verify that the specific remediation steps (disabling OCPP or enabling mandatory authentication) have been correctly applied to all affected units.