CVE-2026-33014
Authorization Bypass in EVerest EV Charging RemoteStop Transaction
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33014 is a vulnerability in the EVerest EVSE (Electric Vehicle Supply Equipment) software stack prior to version 2026.02.0. During the RemoteStop process, when a stop command is issued to end a charging transaction, a delayed authorization response improperly resets the authorization state back to true. This means that even after a stop_transaction() call is made to terminate the charging session, the transaction can remain open because the system mistakenly believes it is still authorized.
Technically, when a RemoteStop command is received, the software calls cancel_transaction(), which sets the authorization flag to false and initiates stopping the transaction. However, if an authorization response arrives late, the software calls authorize(true) without checking the current state, resetting the authorization flag to true. Later, when a PowerOff event occurs, the system only stops the transaction if the authorization flag is false. Since it was reset to true, the stop_transaction() call is bypassed, leaving the transaction active.
How can this vulnerability impact me? :
This vulnerability can allow charging sessions to continue even after a remote stop command has been issued. As a result, transactions may remain open incorrectly, leading to potential billing inaccuracies and compromised transaction integrity.
- Unauthorized continuation of charging sessions despite stop commands.
- Potential financial impact due to incorrect billing for ongoing transactions.
- Compromise of policy enforcement related to transaction termination.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the improper resetting of the authorization state during RemoteStop processing in the EVerest EVSE software, which can cause charging transactions to remain open despite stop commands.
Detection would involve monitoring the state of charging transactions after RemoteStop commands to verify if transactions are properly terminated.
Since the issue is related to software internal state management rather than network traffic, direct network commands may not detect it.
However, you can check the software version running on your EVSE devices to identify if they are prior to the patched version 2026.02.0, which is vulnerable.
Suggested commands include querying the EVSE software version or logs for RemoteStop events and verifying if transactions remain active after such events.
For example, if the EVSE software provides a CLI or API, commands to check current transactions and their authorization status after a RemoteStop command would be useful.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the EVerest EVSE software to version 2026.02.0 or later, which contains a patch that prevents delayed authorization responses from overriding the authorization state after a RemoteStop.
Until the upgrade can be applied, monitor charging transactions closely to detect any that remain active after RemoteStop commands.
Implement additional manual or automated checks to ensure transactions are properly stopped after RemoteStop events.
Review and possibly restrict physical access to the EVSE devices, as the attack vector requires physical access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows charging transactions to remain active despite remote stop commands, leading to unauthorized continuation of charging sessions and potential billing inaccuracies.
Such unauthorized transaction continuation and compromised transaction integrity could impact compliance with standards and regulations that require accurate transaction logging, billing integrity, and proper enforcement of operational policies.
However, there is no direct mention in the provided information about specific effects on compliance with GDPR, HIPAA, or other common standards.