Skip to main content

Le Circuit Electrique Charging Station Backend

3 CVEs product

Monthly

CVE-2026-44383 HIGH CISA Act Now

Backend resource exhaustion in Hydro-Québec's Le Circuit Electrique EV charging station backend (all versions prior to the June 2026 fix) lets remote unauthenticated attackers open multiple simultaneous OCPP sessions under a single charging station identifier, flooding the platform with rogue clients. Because the backend never enforces one active session per station ID, an attacker can spin up many spoofed OCPP clients and exhaust backend capacity, degrading or denying service to legitimate charging stations. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-42952 HIGH CISA Act Now

Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthenticated attackers to hammer the authentication endpoint without rate limiting, degrading or exhausting the service that charging stations rely on. The flaw (CWE-307, missing throttling of repeated auth attempts) affects all backend versions prior to the June 2026 fix and carries a CVSS 4.0 base score of 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but it was reported through ICS-CERT and documented in CISA ICS advisory ICSA-26-188-01.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-20744 CRITICAL CISA Emergency

Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
EPSS 1% CVSS 8.7
HIGH Act Now

Backend resource exhaustion in Hydro-Québec's Le Circuit Electrique EV charging station backend (all versions prior to the June 2026 fix) lets remote unauthenticated attackers open multiple simultaneous OCPP sessions under a single charging station identifier, flooding the platform with rogue clients. Because the backend never enforces one active session per station ID, an attacker can spin up many spoofed OCPP clients and exhaust backend capacity, degrading or denying service to legitimate charging stations. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH Act Now

Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthenticated attackers to hammer the authentication endpoint without rate limiting, degrading or exhausting the service that charging stations rely on. The flaw (CWE-307, missing throttling of repeated auth attempts) affects all backend versions prior to the June 2026 fix and carries a CVSS 4.0 base score of 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but it was reported through ICS-CERT and documented in CISA ICS advisory ICSA-26-188-01.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Emergency

Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy