CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-20744

CVE-2026-20744: Improper Access Control in Le Circuit Électrique Charging Station Backend

Alon Barad
Alon Barad
Software Engineer

Jul 17, 2026·8 min read·5 visits

Executive Summary (TL;DR)

Unauthenticated WebSocket connection upgrade allows remote attackers to impersonate EV charging stations, spoof transactions, and disrupt critical grid infrastructure.

A critical improper access control vulnerability (CWE-284) in the WebSocket upgrade endpoint of Le Circuit Électrique charging station backend allows remote, unauthenticated attackers to connect to the Charging Station Management System and impersonate charging stations.

Vulnerability Overview

CVE-2026-20744 defines a critical improper access control vulnerability within the backend infrastructure of Le Circuit Électrique, an electric vehicle charging station network operated by Hydro-Québec. The vulnerability resides specifically within the WebSocket endpoint exposed by the Charging Station Management System (CSMS) backend. This endpoint is responsible for processing incoming connections from physical charging stations using the Open Charge Point Protocol (OCPP).

Because the endpoint lacks authentication controls during the connection establishment phase, external actors can establish unauthorized communication channels with the CSMS. The affected backend exposes a public-facing network interface that handles these persistent, bidirectional WebSocket connections. Under normal operating conditions, this interface manages transactional, diagnostic, and state data between physical charging stations and the central management system.

The vulnerability is classified under CWE-284 (Improper Access Control). If exploited, the flaw permits an unauthenticated remote attacker to connect directly to the backend server and impersonate any legitimate charging station. This unauthorized connection serves as a vector for privilege escalation and subsequent exploitation of downstream charging services.

Root Cause Analysis

The root cause of CVE-2026-20744 lies in the failure of the WebSocket upgrade handler to validate the client's identity before upgrading the HTTP connection to a WebSocket session. The backend system implements the Open Charge Point Protocol (OCPP) over WebSockets (typically OCPP 1.6J or OCPP 2.0.1) for bidirectional telemetry and control. This architecture relies on persistent TCP connections initiated by the charging stations to bypass typical network address translation (NAT) barriers.

In a secure implementation, the CSMS backend must perform strict authentication during the initial HTTP GET request containing the Upgrade: websocket header. This authentication is standardly performed using either Mutual TLS (mTLS) with client certificates or HTTP basic authentication tokens transmitted in the request headers. The vulnerable routing mechanism in Le Circuit Électrique backend omitted these verification steps, processing the upgrade request based solely on the path variable.

The backend router matched incoming upgrade requests to a dynamic route structure containing the unique identifier of the charging station, such as /ocpp/{ChargePointId}. The router accepted the connection and upgraded the protocol without verifying if the requesting client possessed the cryptographic keys or credentials associated with that specific ChargePointId. Once the protocol upgrade completed, the backend registered the physical connection as a trusted node within its state machine, associating the TCP socket directly with the identifier provided in the URL.

Code-Level Analysis of the Flaw

An analysis of the architectural flaw indicates that the connection upgrade logic failed to intercept and authorize the HTTP upgrade request before establishing the WebSocket channel. The following pseudocode models the vulnerable routing and handshake handling mechanism.

// VULNERABLE: The handler upgrades connections based purely on the path parameter without authentication
func (h *OcppHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    // Extract the charging station identifier directly from the URL path
    vars := mux.Vars(r)
    chargePointID := vars["ChargePointId"]
 
    // Missing authentication check: Anyone can specify any ChargePointId in the URL path
    // No mTLS validation is performed on r.TLS.PeerCertificates
    // No token validation is performed on r.Header.Get("Authorization")
 
    // Upgrade the connection to a persistent WebSocket session
    conn, err := h.upgrader.Upgrade(w, r, nil)
    if err != nil {
        log.Printf("Failed to upgrade connection for station %s: %v", chargePointID, err)
        return
    }
 
    // The backend registers the active connection under the unauthenticated ID
    h.registry.Register(chargePointID, conn)
}

The remediation requires intercepting the HTTP request prior to executing the connection upgrade. Secure implementations must enforce either client certificate verification or token validation. The following example demonstrates the remediated logic incorporating basic authentication token verification and client certificate mapping:

// PATCHED: The handler validates authorization headers and client certificates before protocol upgrade
func (h *OcppHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    chargePointID := vars["ChargePointId"]
 
    // 1. Enforce TLS Client Certificate validation if configured
    if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
        clientCert := r.TLS.PeerCertificates[0]
        if err := h.validator.VerifyCertificate(clientCert, chargePointID); err != nil {
            http.Error(w, "Unauthorized: Invalid client certificate mapping", http.StatusUnauthorized)
            return
        }
    } else {
        // Fall back to token-based authorization if mTLS is not active on this interface
        authToken := r.Header.Get("Authorization")
        if authToken == "" || !h.validator.VerifyToken(chargePointID, authToken) {
            http.Error(w, "Unauthorized: Missing or invalid security token", http.StatusUnauthorized)
            return
        }
    }
 
    // Protocol upgrade is only initiated after authentication succeeds
    conn, err := h.upgrader.Upgrade(w, r, nil)
    if err != nil {
        log.Printf("Failed to upgrade authenticated connection: %v", err)
        return
    }
 
    h.registry.Register(chargePointID, conn)
}

By ensuring that the WebSocket upgrade handshake is conditionally approved, unauthorized clients are blocked at the HTTP layer, preventing the establishment of unauthenticated stateful connections.

Exploitation Methodology and Attack Vectors

Exploitation of CVE-2026-20744 relies on network access to the public-facing port of the CSMS backend. The attacker does not require valid administrative credentials, session cookies, or cryptographic certificates to initiate the attack. The process is deterministic and can be automated via standard scripting libraries that support WebSocket handshakes.

The initial phase of the attack requires identifying the target backend domain and discovering valid charging station identifiers. Station identifiers are frequently visible physically on the charging kiosks or can be inferred through sequential numbering schemes. Once a valid target identifier is obtained, the attacker constructs an HTTP upgrade request directed at the corresponding path.

GET /ocpp/STATION-ID-99881 HTTP/1.1
Host: csms.lecircuitelectrique.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

Upon receiving this request, the vulnerable backend returns a 101 Switching Protocols response, establishing the WebSocket connection. The attacker then transmits standard OCPP payload messages formatted as JSON over the established subprotocol channel. By executing a BootNotification or a StatusNotification message, the attacker changes the internal state representation of the target station inside the CSMS database.

This connection allows the attacker to hijack the operational context of the specified charging station. The attacker can spoof transactions, authorize unpaid charging sessions, modify user billing records, or inject malicious diagnostic reports. Additionally, since the backend associates the physical connection with the provided ChargePointId, the legitimate physical charging station may be disconnected or denied service due to duplicate connection conflicts.

Impact Assessment and Business Consequences

The security impact of CVE-2026-20744 is evaluated as critical, receiving a CVSS v3.1 base score of 9.8. Because the vulnerability is exploitable remotely without privileges or user interaction, the threat vector presents a severe risk to critical infrastructure assets. The impact is categorized across three major operational axes: integrity, availability, and confidentiality.

Integrity risks are particularly high due to the nature of the OCPP protocol. Attackers who successfully impersonate charging stations can inject falsified transaction records, allowing fraudulent charging sessions to be billed to arbitrary user accounts. They can also falsify telemetry, reporting active charging loops as idle or error-states, which corrupts the analytical databases used for fleet management and load balancing.

Availability risks affect both individual charging stations and the broader grid distribution network. By establishing concurrent connections under existing station IDs, attackers can force legitimate stations offline. Furthermore, injecting coordinated commands across thousands of impersonated nodes can simulate sudden, massive spikes in power demand, potentially disrupting local grid stability. Confidentiality is compromised through exposure of user session tokens, transaction logs, and internal backend routing endpoints.

Remediation and Defensive Measures

Remediation of CVE-2026-20744 requires implementing strict authentication validations at the edge of the CSMS network before connections reach the application layer. The primary fix deployed by Hydro-Québec involved disabling the OCPP interface across stations where backend synchronization was not actively required. This action significantly reduced the exposed attack surface.

For endpoints that require persistent OCPP communication, organizations must enforce Mutual TLS (mTLS) configuration. The reverse proxy, load balancer, or API gateway must reject any incoming connection that does not present a client certificate signed by a trusted internal Certificate Authority (CA). The backend code must also map the Common Name (CN) or Subject Alternative Name (SAN) of the client certificate directly to the requested ChargePointId in the URI path to prevent cross-station impersonation.

If mTLS cannot be deployed immediately due to legacy hardware constraints on physical charging kiosks, administrators must enforce HTTP Basic Authentication or bearer tokens inside the WebSocket handshake headers. The CSMS backend must perform a database lookup of these credentials before issuing the 101 Switching Protocols handshake response. Finally, network-level isolation via private Access Point Names (APNs) must be configured to ensure charging station telemetry is routed through encrypted, private cellular channels rather than the public internet.

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.52%
Top 59% most exploited

Affected Systems

Hydro-Québec Le Circuit Électrique charging station backend

Affected Versions Detail

Product
Affected Versions
Fixed Version
Le Circuit Électrique charging station backend
Hydro-Québec
< June 2026June 2026 Update
AttributeDetail
CWE IDCWE-284
Attack VectorNetwork
CVSS Severity Score9.8 (Critical)
EPSS Score0.00519 (Percentile: 40.63%)
Primary ImpactPrivilege Escalation and Charging Station Impersonation
Exploit StatusNone (No public PoC or active exploitation)
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation
Privilege Escalation
T1190Exploit Public-Facing Application
Initial Access
T1210Exploitation of Remote Services
Lateral Movement
CWE-284
Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Vulnerability Timeline

CISA maps SSVC classification for internal documentation
2026-07-06
CISA publishes ICS-CERT Advisory ICSA-26-188-01
2026-07-07
CVE-2026-20744 is formally assigned and published
2026-07-10
NVD record is modified to finalize secondary mappings
2026-07-14

References & Sources

  • [1]CISA ICS Advisory ICSA-26-188-01
  • [2]CISA CSAF Advisory JSON Source
  • [3]CISA GitHub Repository Directory
  • [4]CVE.org Record for CVE-2026-20744
  • [5]Hydro-Québec Support
  • [6]MITRE CWE-284: Improper Access Control

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•37 minutes ago•CVE-2026-52870
7.6

CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.

Amit Schendel
Amit Schendel
0 views•6 min read
•about 2 hours ago•GHSA-48QW-824M-86PR
7.7

GHSA-48QW-824M-86PR: Privilege Escalation and Sandbox Escape in ArcadeDB Server

A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.

Alon Barad
Alon Barad
1 views•6 min read
•about 8 hours ago•CVE-2026-59950
7.6

CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK

CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.

Alon Barad
Alon Barad
7 views•6 min read
•about 8 hours ago•CVE-2026-56271
9.8

CVE-2026-56271: Authentication Bypass via Hardcoded JWT Secrets in Flowise Enterprise Passport Middleware

CVE-2026-56271 represents a critical security flaw in Flowise, an open-source visual orchestration platform for Large Language Models (LLMs) and autonomous AI agents. The vulnerability occurs within the platform's enterprise passport authentication module, where default cryptographic parameters are used in the absence of explicit environment variables. Specifically, the middleware silently falls back to known, static hardcoded secrets ('auth_token' and 'refresh_token') and identifiers ('AUDIENCE' and 'ISSUER') to generate and verify session tokens. Consequently, remote unauthenticated attackers can construct arbitrary JSON Web Tokens (JWTs) signed with these hardcoded credentials to gain administrative entry to the application.

Alon Barad
Alon Barad
6 views•6 min read
•about 9 hours ago•GHSA-X9F9-R4M8-9XC2
8.4

GHSA-x9f9-r4m8-9xc2: Remote Code Execution via GraalVM Polyglot Sandbox Bypass in ArcadeDB Trigger Scripts

ArcadeDB is an open-source, multi-model database engine supporting graph, document, key-value, and vector models. In affected versions of ArcadeDB, the trigger script executor improperly configures GraalVM scripting engine permissions. By allowing the 'java.lang.*' package to be loaded within the scripting context, the sandbox environment can be bypassed. An authenticated user with schema administration privileges ('UPDATE_SCHEMA') can register a malicious script trigger that executes arbitrary Java host classes, leading to unauthenticated remote command execution under the context of the ArcadeDB server process.

Alon Barad
Alon Barad
5 views•6 min read
•about 9 hours ago•CVE-2026-55040
9.1

CVE-2026-55040: Microsoft SharePoint Server Security Feature Bypass Vulnerability

CVE-2026-55040 is a critical security feature bypass vulnerability in Microsoft SharePoint Server arising from a weak authentication mechanism (CWE-1390). An unauthenticated remote attacker can exploit this security flaw over a network to bypass authentication validation routines, gaining unauthorized access to the application and complete control over sensitive enterprise data assets without any user interaction.

Amit Schendel
Amit Schendel
13 views•5 min read