CVE-2026-33014 Overview
CVE-2026-33014 is an authorization bypass vulnerability in EVerest, an open-source EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores the authorized flag back to true, defeating the stop_transaction() call condition on PowerOff events. As a result, charging transactions can remain open even after a remote stop command has been issued.
Critical Impact
This authorization bypass flaw allows charging transactions to continue running after a remote stop has been initiated, potentially enabling unauthorized energy consumption and billing fraud at EV charging stations.
Affected Products
- EVerest EV Charging Software Stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE-2026-33014 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33014
Vulnerability Analysis
This vulnerability is classified as CWE-863: Incorrect Authorization. The flaw exists in the transaction lifecycle management component of the EVerest charging software stack. When a RemoteStop command is processed, the system should terminate the charging session and mark the transaction as unauthorized. However, due to a race condition in the authorization response handling, a delayed authorization response can arrive after the stop command and restore the authorized flag to true.
The timing window between the RemoteStop processing and the delayed authorization response creates an opportunity where the stop_transaction() function's condition check fails because it sees an authorized state. This allows the charging session to remain active despite the operator's explicit intent to terminate it.
Root Cause
The root cause is improper synchronization between the authorization state machine and the RemoteStop command processing logic. The authorization module does not account for pending stop commands when processing delayed authorization responses, leading to a state inconsistency where the transaction appears authorized after a stop has been requested.
Attack Vector
This vulnerability requires physical access to the charging infrastructure. An attacker with physical proximity to an EV charging station could exploit the timing vulnerability to maintain an active charging session after a remote stop has been issued. The attack scenario involves:
- Initiating a charging session at a compatible EV charging station
- Triggering conditions that cause a delayed authorization response
- When a RemoteStop is issued (by the operator or system), the delayed authorization response arrives and restores the authorized state
- The charging transaction continues despite the stop command, enabling continued unauthorized energy consumption
The vulnerability does not require authentication or user interaction to exploit, though physical access to the charging station is necessary.
Detection Methods for CVE-2026-33014
Indicators of Compromise
- Charging transactions that remain active after RemoteStop commands have been issued
- Discrepancies between operator logs showing stop commands and billing records showing continued charging
- Unusual timing patterns in authorization response logs during RemoteStop events
- Transaction state inconsistencies where authorized flag is true after PowerOff events
Detection Strategies
- Monitor for RemoteStop commands that are not followed by successful stop_transaction() calls within expected timeframes
- Implement logging correlation between authorization responses and stop command processing timestamps
- Audit charging station logs for transactions that extend beyond their expected termination time
- Set up alerts for authorization state changes that occur after RemoteStop commands
Monitoring Recommendations
- Enable detailed transaction lifecycle logging on EVerest deployments
- Implement real-time monitoring for state machine inconsistencies in charging sessions
- Configure billing system alerts for anomalous session durations
- Review authorization module logs for delayed response patterns
How to Mitigate CVE-2026-33014
Immediate Actions Required
- Upgrade all EVerest deployments to version 2026.02.0 or later immediately
- Review charging transaction logs for evidence of exploitation
- Implement additional monitoring for RemoteStop command failures pending upgrade
- Consider temporarily disabling remote stop functionality on unpatched systems if business operations permit
Patch Information
EVerest version 2026.02.0 contains the official patch for this vulnerability. The fix addresses the race condition by ensuring that the authorization state machine properly acknowledges pending stop commands and prevents delayed authorization responses from overriding the stop state. Organizations should obtain the patched version from the official EVerest repository.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Implement network-level controls to reduce authorization response latency
- Add application-level monitoring to detect and alert on post-stop authorization state changes
- Consider implementing manual transaction termination procedures as a backup to RemoteStop functionality
- Deploy additional logging at the charging station controller level to capture all state transitions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
