Description
SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without verifying that the requesting charger matches the charger that originally started the transaction. Any authenticated charger can terminate any other charger’s active session across the entire network. The root cause is in OcppServerRepositoryImpl.getTransaction() which queries only by transactionId with no chargeBoxId ownership check. The validator checks that the transaction exists and is not already stopped but never verifies identity. As an attacker controlling a single registered charger I could enumerate sequential transaction IDs and send StopTransaction messages targeting active sessions on every other charger on the network simultaneously. Combined with FINDING-014 (unauthenticated SOAP endpoints), no registered charger is even required — the attack is executable with a single curl command requiring only a known chargeBoxId. Commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contains a fix for the issue.
Published: 2026-02-26
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized termination of charging transactions
Action: Immediate Patch
AI Analysis

Impact

SteVe, an open-source EV charging station management system, contains a flaw in its authentication logic for the StopTransaction message (CWE‑284). The system verifies only the transaction ID and whether the transaction exists, without checking that the requesting charger is the one that initiated that transaction. Consequently, any authenticated charger— and, due to a separate exposure of unprotected SOAP endpoints, even an unauthenticated requester—can stop any other charger's active session. This permits an attacker to disrupt charging, potentially causing financial loss or safety concerns, and represents an unauthorized control over a critical operational function.

Affected Systems

The vulnerability affects steve-community’s SteVe product, versions up to and including 3.11.0. Administrators running these releases should verify whether their deployment includes any of the affected builds.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity, but the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation at this time. Penetration of the vulnerability requires only knowledge of a chargeBoxId and the ability to issue a StopTransaction command; enumeration of sequential transaction IDs is trivial. Because the flaw can be exercised without prior authentication (provided FTP/ SOAP endpoints are not protected), the attack vector is effectively remote network access. The CNA notes that the issue is not present in the CISA KEV catalog, indicating it has not yet been widely exploited. Nonetheless, the potential to disrupt charging services warrants prompt remediation.

Generated by OpenCVE AI on April 17, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SteVe to a version that includes the fix committed in 7f169c6c5b36a9c458ec41ce8af581972e5c724e or later.
  • Disable the unauthenticated SOAP endpoints or enforce authentication to mitigate the secondary exposure that allows exploitation without credentials.
  • Ensure that the StopTransaction method verifies that the requesting charger is the original transaction owner before committing the stop command.

Generated by OpenCVE AI on April 17, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:steve-community:steve:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Steve-community
Steve-community steve
Vendors & Products Steve-community
Steve-community steve

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without verifying that the requesting charger matches the charger that originally started the transaction. Any authenticated charger can terminate any other charger’s active session across the entire network. The root cause is in OcppServerRepositoryImpl.getTransaction() which queries only by transactionId with no chargeBoxId ownership check. The validator checks that the transaction exists and is not already stopped but never verifies identity. As an attacker controlling a single registered charger I could enumerate sequential transaction IDs and send StopTransaction messages targeting active sessions on every other charger on the network simultaneously. Combined with FINDING-014 (unauthenticated SOAP endpoints), no registered charger is even required — the attack is executable with a single curl command requiring only a known chargeBoxId. Commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contains a fix for the issue.
Title In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction)
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Steve-community Steve
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:17:19.675Z

Reserved: 2026-02-25T15:28:40.651Z

Link: CVE-2026-28230

cve-icon Vulnrichment

Updated: 2026-02-27T18:17:06.152Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:36.733

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-28230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses