CVE-2026-20744 in Le Circuit Electrique charging station backendinfo

Summary

by MITRE • 07/11/2026

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/11/2026

This vulnerability represents a critical security flaw in the websocket endpoint of a charging station system that allows unauthorized access through improper authentication mechanisms. The absence of proper authentication checks creates an exploitable entry point where malicious actors can establish websocket connections without valid credentials, potentially enabling them to manipulate charging operations or access sensitive system information.

The technical implementation flaw stems from inadequate session management and authentication validation within the websocket handshake process. When a client attempts to connect to the charging station's websocket endpoint, the system fails to verify the identity of the connecting entity before establishing the connection. This weakness aligns with CWE-287 which addresses improper authentication vulnerabilities where systems fail to properly authenticate users or devices attempting to access protected resources.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it creates opportunities for privilege escalation attacks that could allow attackers to gain elevated system privileges. An attacker who successfully establishes an unauthenticated websocket connection could potentially manipulate charging parameters, monitor energy consumption data, or even disrupt charging operations for other legitimate users. This represents a significant threat to both operational integrity and security of the charging infrastructure.

From an attack perspective, this vulnerability maps to multiple ATT&CK techniques including T1078 for valid accounts usage and T1566 for credential harvesting through network-based attacks. The lack of authentication enforcement creates an attack surface that could be exploited by adversaries looking to gain persistent access to charging station networks. The vulnerability is particularly concerning in environments where charging stations are connected to broader IoT ecosystems or corporate networks.

Mitigation strategies should focus on implementing robust authentication mechanisms including token-based validation, certificate-based authentication, or multi-factor authentication for websocket connections. Organizations should also implement proper session management with timeout mechanisms and ensure that all websocket endpoints require valid authentication before establishing any communication channels. Network segmentation and monitoring of websocket connection attempts can provide additional layers of defense against exploitation attempts.

Additional security controls should include implementing rate limiting for websocket connection attempts, logging all authentication events, and conducting regular security assessments to identify similar authentication weaknesses in other system components. The vulnerability demonstrates the importance of applying principle of least privilege and ensuring that all network endpoints require proper authorization before granting access to system resources, particularly in critical infrastructure environments where charging stations may be part of larger energy management systems.

Responsible

Icscert

Reservation

01/28/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!