Skip to main content

Le Circuit Electrique Charging Station Backend CVE-2026-20744

| EUVDEUVD-2026-43094 CRITICAL
Improper Access Control (CWE-284)
2026-07-10 icscert GHSA-v4hh-p8gf-c722
9.3
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Remote unauthenticated access to a WebSocket endpoint with no user interaction (AV:N/AC:L/PR:N/UI:N) and privilege escalation yielding full control of backend operations gives high C/I/A.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 10, 2026 - 23:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 23:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 23:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jul 10, 2026 - 22:55 vuln.today

DescriptionCVE.org

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.

AnalysisAI

Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Identify all Hydro-Québec Le Circuit Électrique backend instances and confirm deployed versions-flag any pre-June 2026 releases as critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-20744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy