CVE-2026-29044

EUVD-2026-16230

26.03.2026, 17:16

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L
GitHub_M	CNA	5 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/EVerest/EVerest/security/advisories/GHSA-gx37-p775-qf5v