The vulnerability identified as CVE-2026-29044 affects the EVerest everest-core software, a component of an EV charging software stack. The issue arises from incorrect authorization logic (CWE-863) when handling WithdrawAuthorization messages that occur before the TransactionStarted event. In this scenario, the AuthHandler sets the transaction_active flag to false and only invokes the withdraw_authorization_callback, which calls Charger::deauthorize(). However, this deauthorization does not trigger a StopTransaction event, meaning the charging session continues despite the authorization withdrawal. This timing-based flaw allows an attacker or user with sufficient privileges to circumvent the intended authorization withdrawal mechanism, effectively continuing to charge without valid authorization. The vulnerability requires network access and privileges to send WithdrawAuthorization commands but does not require user interaction. The flaw impacts the integrity of the charging process by allowing unauthorized continued charging, with a minor impact on availability (charging continues rather than stopping). Confidentiality is not affected. The issue is resolved in version 2026.02.0 of everest-core. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 score is 5.0, reflecting medium severity with network attack vector, high complexity, and required privileges.

This vulnerability undermines the integrity of the EV charging authorization process, allowing unauthorized continued charging sessions. For organizations operating EV charging infrastructure using affected versions of everest-core, this could lead to financial losses due to unauthorized energy consumption and potential disputes with customers over billing. It may also erode trust in the charging service provider’s security and operational controls. While the vulnerability does not directly impact confidentiality or cause full denial of service, the ability to bypass authorization could be exploited in coordinated attacks to disrupt billing systems or cause operational confusion. The impact is particularly relevant for large-scale EV charging networks, fleet operators, and public charging stations where accurate authorization and billing are critical. The absence of known exploits reduces immediate risk, but the medium severity score and availability of a patch necessitate prompt remediation to prevent future exploitation.

Organizations should upgrade all instances of everest-core to version 2026.02.0 or later, which contains the patch addressing this authorization flaw. In addition, operators should implement monitoring and alerting for anomalous WithdrawAuthorization and StopTransaction message sequences to detect potential exploitation attempts. Network segmentation and strict access controls should be enforced to limit which entities can send authorization-related commands, reducing the risk of unauthorized message injection. Conduct thorough testing of authorization workflows after patching to ensure the WithdrawAuthorization and StopTransaction events are correctly synchronized. Consider implementing additional logging and audit trails for transaction state changes to facilitate forensic analysis if suspicious activity is detected. Finally, coordinate with EV charging hardware vendors to verify that firmware and software versions are compatible and secure against this timing-based vulnerability.