- Product: Hydro-Québec Le Circuit Electrique charging station backend
- Vulnerabilities: 3 flaws (CVE-2026-20744, CVE-2026-42952, CVE-2026-44383)
- Highest severity: 9.8 (Critical · CVSSv3)
- Worst impact: Improper Access Control
- Status: No confirmed exploitation yet; patches available
- Action: Update to June_2026 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-20744 | 9.8 | Improper Access Control | June_2026 | Not exploited |
| CVE-2026-42952 | 7.5 | Improper Restriction of Excessive Authentication Attempts | June_2026 | Not exploited |
| CVE-2026-44383 | 7.5 | Insufficient Session Expiration | June_2026 | Not exploited |
Hydro-Québec recently disclosed a severe privilege escalation flaw impacting its electric vehicle charging network. This critical vulnerability endangers the Le Circuit Electrique charging station backend.
TL;DR
Three security vulnerabilities affect Hydro-Québec EV charging stations. The most severe bug, CVE-2026-20744, carries a 9.8 CVSS score. Attackers could exploit this to trigger privilege escalation or launch denial-of-service attacks. Currently, no such activity has been confirmed in the wild.
Why It Matters
Electric vehicle infrastructure forms a vital part of modern transportation grids. Threat actors can disrupt critical public services by attacking charging networks. A successful privilege escalation attack allows unauthorized users to gain high-level backend access. Attackers could theoretically manipulate charging sessions, steal data, or disable stations entirely. This poses a major threat to public mobility and infrastructure reliability.
How the Attack Works
The US Cybersecurity and Infrastructure Security Agency published an official advisory detailing these issues. The primary vulnerability stems from an insecure websocket endpoint. This endpoint accepts external connections without proper authentication. An attacker sends targeted requests to this interface. Consequently, they bypass security controls and increase their system rights.
Two additional denial-of-service flaws exist. CVE-2026-42952 involves missing rate limits on authentication attempts. Hackers can flood the server with login requests to crash the service. Furthermore, CVE-2026-44383 allows multiple concurrent connections using a single charging station ID. Attackers deploy malicious clients to overwhelm the backend resources.
Affected Versions
These software bugs impact the Hydro-Québec Le Circuit Electrique charging station backend. Specifically, the vulnerabilities affect all product versions released prior to June 2026.
Patch and Mitigation Steps
Hydro-Québec has already deployed significant mitigations. The vendor updated the majority of affected charging stations to completely disable the OCPP protocol. This action stops the attack path. For stations still relying on OCPP, the company implemented strict authentication systems. Administrators should contact Hydro-Québec directly for further guidance.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.