CVE-2026-29044 Overview
CVE-2026-29044 is an authorization bypass vulnerability in EVerest, an open-source EV charging software stack. The vulnerability exists in the handling of WithdrawAuthorization events, where improper timing in the authorization flow allows charging sessions to continue even after authorization has been withdrawn. This represents a classic race condition that can be exploited to defeat authorization controls in EV charging infrastructure.
Critical Impact
Attackers with network access and high privileges can exploit timing conditions to continue EV charging sessions after authorization withdrawal, potentially resulting in unauthorized energy consumption and billing fraud.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-29044 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-29044
Vulnerability Analysis
The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how the EVerest software validates and enforces authorization decisions during active charging sessions.
The core issue lies in the interaction between the WithdrawAuthorization process and the TransactionStarted event within the AuthHandler component. When WithdrawAuthorization is processed before the TransactionStarted event completes, the AuthHandler incorrectly determines that transaction_active=false. This erroneous state assessment leads the handler to only invoke the withdraw_authorization_callback function.
While this callback path correctly calls Charger::deauthorize(), the actual StopTransaction command is never issued when the charger is in the Charging state. This creates a window where the logical authorization state becomes desynchronized from the physical charging operation, allowing the charging process to continue indefinitely despite authorization being withdrawn.
Root Cause
The root cause is a race condition in the authorization state machine where the timing of WithdrawAuthorization relative to TransactionStarted events is not properly synchronized. The AuthHandler makes authorization decisions based on the transaction_active flag without adequately ensuring that this flag reflects the actual physical state of the charging session. This design flaw fails to account for the asynchronous nature of transaction state transitions, resulting in a TOCTOU (Time-of-Check to Time-of-Use) vulnerability.
Attack Vector
An attacker with network access and elevated privileges can exploit this vulnerability by manipulating the timing of authorization withdrawal requests. By sending a WithdrawAuthorization command at a precise moment—after a charging session has physically started but before the TransactionStarted event has been fully processed—the attacker can cause the system to enter an inconsistent state where charging continues without valid authorization.
The attack requires high privileges and precise timing (high attack complexity), which limits the exploitability. However, successful exploitation could result in unauthorized energy consumption, billing discrepancies, and potential manipulation of EV charging infrastructure.
Detection Methods for CVE-2026-29044
Indicators of Compromise
- Charging sessions that continue after authorization withdrawal events are logged
- Discrepancies between authorization logs and actual energy consumption records
- Unusual patterns of WithdrawAuthorization requests timed near TransactionStarted events
- Billing anomalies indicating energy consumption without corresponding valid authorization
Detection Strategies
- Monitor AuthHandler logs for sequences where withdraw_authorization_callback is invoked without a corresponding StopTransaction command
- Implement correlation analysis between authorization state changes and physical charging state
- Alert on charging sessions that exceed expected duration following authorization withdrawal
- Analyze timing patterns of authorization-related API calls for potential exploitation attempts
Monitoring Recommendations
- Enable detailed logging of all authorization state transitions including timestamps
- Implement real-time monitoring of the relationship between transaction_active flag states and physical charger states
- Deploy anomaly detection for billing discrepancies linked to authorization events
- Regularly audit charging logs for sessions that continued after deauthorization
How to Mitigate CVE-2026-29044
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later, which contains the security patch
- Review charging session logs for any evidence of exploitation
- Implement additional monitoring for authorization state inconsistencies
- Consider temporarily restricting network access to EV charging infrastructure pending patch deployment
Patch Information
The EVerest development team has addressed this vulnerability in version 2026.02.0. The patch ensures that StopTransaction is properly invoked when authorization is withdrawn during active charging sessions, regardless of the timing of the TransactionStarted event. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Implement additional application-level checks to verify charging state before processing authorization withdrawals
- Deploy network segmentation to restrict access to the EV charging management interface
- Enable enhanced logging and manual review of authorization events until the patch can be applied
- Consider implementing a secondary confirmation mechanism for StopTransaction commands during the charging state
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
