PatchSiren cyber security CVE debrief
CVE-2026-44383 Hydro-Québec CVE debrief
CVE-2026-44383 is a high-severity vulnerability with a CVSS score of 8.7. Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend. This vulnerability affects organizations using charging stations and OCPP clients. The CVE record was published on 2026-07-10T23:16:48.343Z and has not been modified since then. The NVD entry is currently Received.
- Vendor
- Hydro-Québec
- Product
- Le Circuit Electrique charging station backend
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Organizations using charging stations and OCPP clients should be aware of this vulnerability and take necessary precautions. They should verify the affected scope and severity with the vendor and implement necessary mitigations. The vulnerability could affect operators, platforms, and security teams, and they should review the CVE record and NVD entry for more information.
Technical summary
The vulnerability allows multiple connections to the backend using the same charging station ID, which could lead to a denial-of-service attack. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The vulnerability has a high severity score and could be used to overwhelm the backend with malicious OCPP clients.
Defensive priority
High
Recommended defensive actions
- Verify and limit connections to the backend
- Implement authentication and authorization for OCPP clients
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-10T23:16:48.343Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it is considered high-severity with a CVSS score of 8.7.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T23:16:48.343Z and has not been modified since then.