SteVe is an open-source EV charging station management system widely used to monitor and control charging sessions. In versions up to and including 3.11.0, a critical design flaw exists in the handling of StopTransaction messages sent by chargers. When a charger requests to stop a transaction, SteVe identifies the transaction solely by its transactionId, a sequential integer starting from 1, without verifying that the requesting charger (chargeBoxId) is the owner of that transaction. The vulnerable method, OcppServerRepositoryImpl.getTransaction(), queries transactions only by transactionId and does not check chargeBoxId ownership. The validator ensures the transaction exists and is active but does not verify the identity of the requester. This allows any authenticated charger to enumerate transaction IDs and send StopTransaction messages to forcibly terminate other chargers’ active sessions across the entire network. Furthermore, when combined with an existing issue (FINDING-014) involving unauthenticated SOAP endpoints, the attack can be executed without any registered charger credentials, requiring only knowledge of a chargeBoxId. This significantly lowers the barrier to exploitation, enabling attackers to disrupt EV charging operations en masse. The vulnerability is tracked as CVE-2026-28230 with a CVSS 4.0 base score of 5.7, indicating medium severity. The root cause is improper access control (CWE-284). A patch has been committed (commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e) to add proper ownership verification and restrict unauthorized StopTransaction requests.

The vulnerability allows attackers to disrupt EV charging infrastructure by forcibly terminating active charging sessions across the entire network. This can lead to denial of service for EV users, causing inconvenience, potential financial loss, and reputational damage to charging network operators. In large-scale deployments, coordinated exploitation could degrade service availability, impacting critical transportation infrastructure and undermining trust in EV charging services. The ability to execute the attack without authentication (when combined with the unauthenticated SOAP endpoint issue) increases the risk of widespread abuse by external attackers. This could also facilitate further attacks by causing confusion or forcing manual intervention. Organizations relying on SteVe for EV charging management may face operational disruptions, customer dissatisfaction, and increased support costs. The vulnerability does not appear to allow data theft or code execution but severely impacts availability and integrity of charging sessions.

1. Immediately upgrade SteVe to a version including the fix from commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e or later, which enforces chargeBoxId ownership verification for StopTransaction requests. 2. Restrict network access to SteVe management interfaces and SOAP endpoints using firewalls, VPNs, or zero-trust network segmentation to prevent unauthorized access. 3. Implement strong authentication and authorization controls for all chargers and management clients interacting with SteVe. 4. Monitor logs for unusual StopTransaction requests, especially those targeting multiple transaction IDs or originating from unexpected chargeBoxIds. 5. Disable or secure any unauthenticated SOAP endpoints to prevent exploitation without credentials. 6. Conduct regular security audits and penetration testing focused on access control mechanisms within the EV charging management system. 7. Educate operational teams about the risk of session hijacking and denial of service attacks targeting charging infrastructure. 8. Consider implementing rate limiting or anomaly detection on transaction termination requests to detect and block enumeration attempts.