CVE-2026-28230
Insecure Authorization Allows Cross-Charger Session Termination in SteVe
Publication date: 2026-02-26
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| steve-community | steve | to 3.11.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects SteVe, an open-source EV charging station management system, in versions up to and including 3.11.0. When a charger sends a StopTransaction message, SteVe looks up the transaction only by its transactionId without verifying that the charger requesting the stop is the same charger that started the transaction. This means any authenticated charger can terminate any other charger's active charging session across the entire network.
The root cause is that the system's method for retrieving transactions (OcppServerRepositoryImpl.getTransaction()) queries only by transactionId and does not check ownership by chargeBoxId. Although the validator checks if the transaction exists and is not already stopped, it never verifies the identity of the requester.
An attacker controlling a single registered charger can enumerate sequential transaction IDs and send StopTransaction messages to disrupt active sessions on other chargers simultaneously. Furthermore, combined with another issue (unauthenticated SOAP endpoints), the attack can be executed without even needing a registered charger, requiring only a known chargeBoxId.
A fix for this issue is included in commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e.
How can this vulnerability impact me? :
This vulnerability allows an attacker with control over a single registered charger, or even without registration if combined with another issue, to terminate active charging sessions on any other charger in the network. This can cause denial of service by interrupting charging for legitimate users.
Such disruptions can lead to user dissatisfaction, operational interruptions, and potential financial losses for charging station operators. It also undermines trust in the charging infrastructure's reliability and security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by SteVe versions up to and including 3.11.0 allowing any authenticated charger to terminate any other charger's active session by exploiting the lack of ownership verification in StopTransaction messages.
Immediate mitigation steps include applying the fix contained in commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e, which addresses the issue by adding proper ownership checks.
Until the fix is applied, restrict access to the charging station management system to trusted chargers only and monitor for suspicious StopTransaction messages that could indicate exploitation attempts.