Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unsafe continuation of charging after authorization withdrawal
Action: Patch
AI Analysis

Impact

EVerest, an electric‑vehicle charging stack, has a flaw in which processing a WithdrawAuthorization request before a TransactionStarted event causes the system to mark the transaction as inactive but fails to stop the charger. As a result, the charger can keep supplying power even after the authorization has been withdrawn, potentially leading to unintended energy draw and safety risks.

Affected Systems

The vulnerability affects the EVerest core component (everest-core). All installations running versions earlier than 2026.02.0 are impacted. Version 2026.02.0 contains a patch that corrects the logic and ensures that a withdrawal of authorization stops the charger.

Risk and Exploitability

The CVSS score of 5 indicates a medium severity. EPSS is less than 1%, suggesting that exploitation is likely rare. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to send a WithdrawAuthorization request prior to the TransactionStarted event, likely through the network interface that controls charging commands. No direct remote code execution is possible; the risk is limited to continued charging beyond the expected authorization period.

Generated by OpenCVE AI on March 31, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EVerest to version 2026.02.0 or later.

Generated by OpenCVE AI on March 31, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Prior to versions to 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch. EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Prior to versions to 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.
Title EVerest: Charging Continues When WithdrawAuthorization Is Processed Before TransactionStarted
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:50:00.493Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29044

cve-icon Vulnrichment

Updated: 2026-03-26T18:49:57.260Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:34.503

Modified: 2026-03-31T14:40:50.140

Link: CVE-2026-29044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:49Z

Weaknesses