CVE-2026-29044

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2026.02.0

Description EVerest is an EV charging software stack. When WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transaction active=false and only calls withdraw authorization callback. This path ultimately calls Charger::deauthorize(), but no actual StopTransaction occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. The vulnerable code path involves the withdraw authorization callback function and the Charger::deauthorize() function. The transaction active variable is a key component in determining the correct authorization flow.

Recommendations Update to version 2026.02.0 or later.