CVE-2026-28230

Name of the Vulnerable Software and Affected Versions SteVe versions up to and including 3.11.0

Description SteVe is an open-source EV charging station management system susceptible to a transaction hijacking issue. An attacker controlling a registered charger, or even without registration leveraging unauthenticated SOAP endpoints, can terminate any other charger’s active session across the entire network. This occurs because the system identifies transactions by transactionId only, without verifying the requesting charger’s ownership. The issue resides in the OcppServerRepositoryImpl.getTransaction() function, which lacks a chargeBoxId ownership check. An attacker can enumerate sequential transactionId values and send StopTransaction messages to terminate active sessions on other chargers. The API endpoint used in the attack is the StopTransaction message. The vulnerable parameter is the transactionId.

Recommendations Update SteVe to a version after commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e to address the issue.