Search
Find a vulnerability
Search criteria
6 vulnerabilities by Hydro-Québec
CVE-2026-44383 (GCVE-0-2026-44383)
Vulnerability from nvd – Published: 2026-07-10 22:11 – Updated: 2026-07-10 22:11
VLAI
EPSS
VEX
Title
Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expiration
Summary
Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hydro-Québec | Le Circuit Electrique charging station backend |
Affected:
0 , < June_2026
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Le Circuit Electrique charging station backend",
"vendor": "Hydro-Qu\u00e9bec",
"versions": [
{
"lessThan": "June_2026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous researcher reported this vulnerability to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple connections to the backend using the same charging station ID \nare allowed, which could allow an attacker to deploy multiple instances \nof malicious OCPP clients to overwhelm the backend."
}
],
"value": "Multiple connections to the backend using the same charging station ID \nare allowed, which could allow an attacker to deploy multiple instances \nof malicious OCPP clients to overwhelm the backend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:11:16.866Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.hydroquebec.com/nous-joindre/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"source": {
"advisory": "ICSA-26-188-01",
"discovery": "EXTERNAL"
},
"title": "Hydro-Qu\u00e9bec Le Circuit Electrique charging station backend Insufficient Session Expiration",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-44383",
"datePublished": "2026-07-10T22:11:16.866Z",
"dateReserved": "2026-05-07T16:55:26.145Z",
"dateUpdated": "2026-07-10T22:11:16.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42952 (GCVE-0-2026-42952)
Vulnerability from nvd – Published: 2026-07-10 22:09 – Updated: 2026-07-10 22:09
VLAI
EPSS
VEX
Title
Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts
Summary
Previously, there was no throttling on repeated authentication attempts
to the charging station backend, which could allow an attacker to
execute a denial-of-service attack.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hydro-Québec | Le Circuit Electrique charging station backend |
Affected:
0 , < June_2026
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Le Circuit Electrique charging station backend",
"vendor": "Hydro-Qu\u00e9bec",
"versions": [
{
"lessThan": "June_2026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous researcher reported this vulnerability to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Previously, there was no throttling on repeated authentication attempts \nto the charging station backend, which could allow an attacker to \nexecute a denial-of-service attack."
}
],
"value": "Previously, there was no throttling on repeated authentication attempts \nto the charging station backend, which could allow an attacker to \nexecute a denial-of-service attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:09:16.884Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.hydroquebec.com/nous-joindre/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"source": {
"advisory": "ICSA-26-188-01",
"discovery": "EXTERNAL"
},
"title": "Hydro-Qu\u00e9bec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-42952",
"datePublished": "2026-07-10T22:09:16.884Z",
"dateReserved": "2026-05-07T16:55:26.126Z",
"dateUpdated": "2026-07-10T22:09:16.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20744 (GCVE-0-2026-20744)
Vulnerability from nvd – Published: 2026-07-10 22:07 – Updated: 2026-07-10 22:07
VLAI
EPSS
VEX
Title
Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control
Summary
The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation.
Severity
9.8 (Critical)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hydro-Québec | Le Circuit Electrique charging station backend |
Affected:
0 , < June_2026
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Le Circuit Electrique charging station backend",
"vendor": "Hydro-Qu\u00e9bec",
"versions": [
{
"lessThan": "June_2026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous researcher reported this vulnerability to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The charging station websocket endpoint accepts connections without \nproper authentication, which could lead to privilege escalation."
}
],
"value": "The charging station websocket endpoint accepts connections without \nproper authentication, which could lead to privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:07:23.971Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.hydroquebec.com/nous-joindre/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"source": {
"advisory": "ICSA-26-188-01",
"discovery": "EXTERNAL"
},
"title": "Hydro-Qu\u00e9bec Le Circuit Electrique charging station backend Improper Access Control",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-20744",
"datePublished": "2026-07-10T22:07:23.971Z",
"dateReserved": "2026-01-27T23:33:47.834Z",
"dateUpdated": "2026-07-10T22:07:23.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44383 (GCVE-0-2026-44383)
Vulnerability from cvelistv5 – Published: 2026-07-10 22:11 – Updated: 2026-07-10 22:11
VLAI
EPSS
VEX
Title
Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expiration
Summary
Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hydro-Québec | Le Circuit Electrique charging station backend |
Affected:
0 , < June_2026
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Le Circuit Electrique charging station backend",
"vendor": "Hydro-Qu\u00e9bec",
"versions": [
{
"lessThan": "June_2026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous researcher reported this vulnerability to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple connections to the backend using the same charging station ID \nare allowed, which could allow an attacker to deploy multiple instances \nof malicious OCPP clients to overwhelm the backend."
}
],
"value": "Multiple connections to the backend using the same charging station ID \nare allowed, which could allow an attacker to deploy multiple instances \nof malicious OCPP clients to overwhelm the backend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:11:16.866Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.hydroquebec.com/nous-joindre/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"source": {
"advisory": "ICSA-26-188-01",
"discovery": "EXTERNAL"
},
"title": "Hydro-Qu\u00e9bec Le Circuit Electrique charging station backend Insufficient Session Expiration",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-44383",
"datePublished": "2026-07-10T22:11:16.866Z",
"dateReserved": "2026-05-07T16:55:26.145Z",
"dateUpdated": "2026-07-10T22:11:16.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42952 (GCVE-0-2026-42952)
Vulnerability from cvelistv5 – Published: 2026-07-10 22:09 – Updated: 2026-07-10 22:09
VLAI
EPSS
VEX
Title
Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts
Summary
Previously, there was no throttling on repeated authentication attempts
to the charging station backend, which could allow an attacker to
execute a denial-of-service attack.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hydro-Québec | Le Circuit Electrique charging station backend |
Affected:
0 , < June_2026
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Le Circuit Electrique charging station backend",
"vendor": "Hydro-Qu\u00e9bec",
"versions": [
{
"lessThan": "June_2026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous researcher reported this vulnerability to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Previously, there was no throttling on repeated authentication attempts \nto the charging station backend, which could allow an attacker to \nexecute a denial-of-service attack."
}
],
"value": "Previously, there was no throttling on repeated authentication attempts \nto the charging station backend, which could allow an attacker to \nexecute a denial-of-service attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:09:16.884Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.hydroquebec.com/nous-joindre/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"source": {
"advisory": "ICSA-26-188-01",
"discovery": "EXTERNAL"
},
"title": "Hydro-Qu\u00e9bec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-42952",
"datePublished": "2026-07-10T22:09:16.884Z",
"dateReserved": "2026-05-07T16:55:26.126Z",
"dateUpdated": "2026-07-10T22:09:16.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20744 (GCVE-0-2026-20744)
Vulnerability from cvelistv5 – Published: 2026-07-10 22:07 – Updated: 2026-07-10 22:07
VLAI
EPSS
VEX
Title
Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control
Summary
The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation.
Severity
9.8 (Critical)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hydro-Québec | Le Circuit Electrique charging station backend |
Affected:
0 , < June_2026
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Le Circuit Electrique charging station backend",
"vendor": "Hydro-Qu\u00e9bec",
"versions": [
{
"lessThan": "June_2026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous researcher reported this vulnerability to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The charging station websocket endpoint accepts connections without \nproper authentication, which could lead to privilege escalation."
}
],
"value": "The charging station websocket endpoint accepts connections without \nproper authentication, which could lead to privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:07:23.971Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.hydroquebec.com/nous-joindre/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"value": "Hydro-Qu\u00e9bec has updated the majority of charging stations to disable \nOCPP, mitigating the risk of exploitation. Hydro-Qu\u00e9bec has also \nimplemented authentication systems to mitigate the issue for certain \ncharging stations which are still reliant on OCPP. Contact Hydro-Qu\u00e9bec \nwith any additional questions."
}
],
"source": {
"advisory": "ICSA-26-188-01",
"discovery": "EXTERNAL"
},
"title": "Hydro-Qu\u00e9bec Le Circuit Electrique charging station backend Improper Access Control",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-20744",
"datePublished": "2026-07-10T22:07:23.971Z",
"dateReserved": "2026-01-27T23:33:47.834Z",
"dateUpdated": "2026-07-10T22:07:23.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}