WebSocket Authentication Flaw in Hydro-Québec Charging Station
CVE-2026-20744

9.3CRITICAL

Key Information:

Vendor
CVE Published:
10 July 2026

What is CVE-2026-20744?

The Hydro-Québec charging station features a WebSocket endpoint that allows unauthenticated connections. This security oversight can lead to privilege escalation, enabling unauthorized users to access sensitive functionalities and potentially compromise the integrity of the system. Proper authentication mechanisms should be implemented to safeguard against unauthorized access and ensure the security of the infrastructure.

Affected Version(s)

Le Circuit Electrique charging station backend 0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

An anonymous researcher reported this vulnerability to CISA
.