CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-42952

criticalCVSS 7.5covered by 2 sourcesfirst seen 2026-07-07
View CSAF Summary Successful exploitation of these vulnerabilities could lead to privilege escalation, or result in a denial-of-service attack. The following versions of Hydro-Québec Le Circuit Electrique charging station backend are affected: Le Circuit Electrique charging station backend CVSS Vendor Equipment Vulnerabilities v3 9.8 Hydro-Québec Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Canada Company Headquarters Location: Canada Vulnerabilities Expand All + CVE-2026-20744 The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation. View CVE Details Affected Products Hydro-Québec Le Circuit Electrique charging station backend Vendor: Hydro-Québec Product Version: Hydro-Québec Le Circuit Electrique charging station backend: <June_2026 Product Status: known_affected Remediations Mitigation Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of exploitation. Hydro-Québec has also implemented authentication systems to mitigate the issue for certain charging stations which are still reliant on OCPP. Contact Hydro-Québec with any additional questions. Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 4.0 9.3 CRITICAL CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-42952 Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a Denial-of-Service attack. View CVE Details Affected Products Hydro-Québec Le Circuit Electrique charging station backend Vendor: Hydro-Québec Product Version: Hydro-Québec Le Circui

CSIRTS triage

What
Vulnerabilities could lead to privilege escalation or denial-of-service attacks.
Who is affected
Deployments of the Le Circuit Electrique charging station backend in Canada.
Urgency
Remediation is critical due to the high CVSS score and potential for severe impact.
Action
Implement the recommended security measures to secure the websocket endpoint.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-42952

Get an email if CVE-2026-42952 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (2)

External references

NVD record for CVE-2026-42952

CVE.org record

Embed the live status

CVE-2026-42952 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-42952 status](https://www.csirts.com/badge/CVE-2026-42952)](https://www.csirts.com/cve/CVE-2026-42952)