{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33014", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.665Z", "datePublished": "2026-03-26T16:40:40.062Z", "dateUpdated": "2026-03-26T18:24:11.044Z"}, "containers": {"cna": {"title": "EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:42:26.062Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch."}], "source": {"advisory": "GHSA-43xm-5m3v-52hm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:48:02.431251Z", "id": "CVE-2026-33014", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:24:11.044Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33014", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:48:02.431251Z"}}}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:12.658Z"}}], "cna": {"title": "EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop", "source": {"advisory": "GHSA-43xm-5m3v-52hm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:42:26.062Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33014", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:24:11.044Z", "dateReserved": "2026-03-17T17:22:14.665Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:40:40.062Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de VE. Antes de la versi\u00f3n 2026.02.0, durante el procesamiento de RemoteStop, una respuesta de autorizaci\u00f3n retrasada restaura 'authorized' a verdadero, anulando la condici\u00f3n de llamada a 'stop_transaction()' en eventos de apagado. Como resultado, la transacci\u00f3n puede permanecer abierta incluso despu\u00e9s de una parada remota. La versi\u00f3n 2026.02.0 contiene un parche."}], "id": "CVE-2026-33014", "lastModified": "2026-03-31T13:53:28.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:37.977", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-43xm-5m3v-52hm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T15:38:11.498150+00:00", "value": {"mitigation_remediation": ["Upgrade EVerest everest\u2011core to version 2026.02.0 or newer.", "Restart the charging station after the upgrade to apply the patch.", "Verify that the authorized flag resets correctly by monitoring transaction logs after a RemoteStop command."], "summary": {"action": "Apply Patch", "impact": "Failed Termination of EV Charging Sessions"}, "threat_synthesis": {"affected_systems": "The flaw affects the EVerest everest\u2011core software stack used in electric vehicle charging stations. Any installation of everest\u2011core released before version 2026.02.0 is vulnerable; the issue is present in all prior releases regardless of deployment platform.", "description_and_impact": "During RemoteStop processing in EVerest pre\u20112026.02.0, a delayed authorization response reinstates the authorized flag to true, which defeats the stop_transaction() check that should halt power output on a PowerOff event. This flaw allows a charging transaction to remain active even after a remote stop command has been issued. An attacker could exploit this to force the charger to continue supplying power, potentially causing unintended energy consumption and financial loss. The vulnerability involves improper authorization handling (CWE\u2011863).", "risk_and_exploitability": "The CVSS score of 5.2 indicates moderate severity, and the EPSS of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The most probable attack vector involves an entity with the ability to send RemoteStop commands through the charger\u2019s remote management interface; this requires privileged access to the remote control system. While the risk is moderate, the ease of triggering the fault is low without such access."}}}}, "created": "2026-03-27T08:33:45.695658+00:00", "updated": "2026-03-31T20:08:47.319392+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}