Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Failed Termination of EV Charging Sessions
Action: Apply Patch
AI Analysis

Impact

During RemoteStop processing in EVerest pre‑2026.02.0, a delayed authorization response reinstates the authorized flag to true, which defeats the stop_transaction() check that should halt power output on a PowerOff event. This flaw allows a charging transaction to remain active even after a remote stop command has been issued. An attacker could exploit this to force the charger to continue supplying power, potentially causing unintended energy consumption and financial loss. The vulnerability involves improper authorization handling (CWE‑863).

Affected Systems

The flaw affects the EVerest everest‑core software stack used in electric vehicle charging stations. Any installation of everest‑core released before version 2026.02.0 is vulnerable; the issue is present in all prior releases regardless of deployment platform.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, and the EPSS of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The most probable attack vector involves an entity with the ability to send RemoteStop commands through the charger’s remote management interface; this requires privileged access to the remote control system. While the risk is moderate, the ease of triggering the fault is low without such access.

Generated by OpenCVE AI on March 31, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EVerest everest‑core to version 2026.02.0 or newer.
  • Restart the charging station after the upgrade to apply the patch.
  • Verify that the authorized flag resets correctly by monitoring transaction logs after a RemoteStop command.

Generated by OpenCVE AI on March 31, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Prior to versions to 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch. EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch.

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Prior to versions to 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch.
Title EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:24:11.044Z

Reserved: 2026-03-17T17:22:14.665Z

Link: CVE-2026-33014

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:12.658Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:37.977

Modified: 2026-03-31T13:53:28.383

Link: CVE-2026-33014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:47Z

Weaknesses