CVE-2026-28230 is a medium-severity vulnerability affecting the steve EV charging station management system, specifically in versions up to and including 3.11.0. The vulnerability allows any authenticated charger to terminate another charger's active session across the entire network. The issue arises due to insufficient verification when processing StopTransaction messages, which are only checked by transactionId without confirming the identity of the requesting charger.
The vulnerability has a CVSS score of 5.7, categorizing it as medium severity. The primary concern is that attackers may leverage this flaw to disrupt operations by stopping active sessions of other chargers without authorization. This risk to organizations includes potential service disruptions and unauthorized access to charger management functionalities.
Organizations should prioritize patching immediately. A fix has been provided in commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e. Failure to address this vulnerability could leave organizations exposed to significant operational risks.
This vulnerability exemplifies the importance of implementing robust identity verification mechanisms in networked systems, particularly those managing critical infrastructure like EV charging stations.
Vulnerability Details
The official description states that SteVe is an open-source EV charging station management system. The vulnerability occurs when a charger sends a StopTransaction message, and SteVe looks up the transaction solely by transactionId without verifying that the requesting charger matches the charger that originally started the transaction. The root cause is found in OcppServerRepositoryImpl.getTransaction(), which queries only by transactionId with no chargeBoxId ownership check.
The attacker can control a registered charger, enumerate sequential transaction IDs, and send StopTransaction messages targeting active sessions on every other charger on the network simultaneously. This vulnerability falls under CWE-284, indicating improper access control.
The CVSS score of 5.7 indicates a medium severity, with low attack complexity and low privileges required. The vulnerability is exploitable over the network and has a significant availability impact.
Technical Analysis
The root cause of CVE-2026-28230 lies in the implementation of the transaction handling in the SteVe system. Specifically, the OcppServerRepositoryImpl.getTransaction() method queries transactions based solely on the transactionId, without verifying the chargeBoxId ownership. This oversight allows any authenticated charger to terminate sessions initiated by other chargers.
The attack vector is network-based, and the complexity is low, making it accessible to attackers with minimal privileges. User interaction is not required to exploit this vulnerability, which increases its risk potential. The impact on availability is high, as it allows unauthorized termination of active sessions.
Risk & Impact Analysis
The real-world deployment risk associated with CVE-2026-28230 is substantial. Organizations operating EV charging stations could face significant operational disruptions if attackers exploit this vulnerability to terminate active sessions. The blast radius of this vulnerability is considerable, as it affects all chargers within the network.
Given the medium severity score and the potential for widespread impact, organizations should assess their exposure and prioritize remediation efforts. The urgency for addressing this vulnerability is heightened by the fact that it is not included in the Known Exploited Vulnerabilities (KEV) catalog, yet it presents a tangible risk that could be exploited by malicious actors.
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The affected versions include all versions of SteVe prior to and including 3.11.0. Organizations should ensure they are running a patched version to mitigate this vulnerability.
Mitigation & Remediation
Organizations should apply the security patch provided in commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e to remediate the vulnerability. If immediate patching is not possible, consider implementing network controls to limit access to the management system and monitor for unusual transaction termination events.
For further guidance on validating remediation effectiveness, organizations can leverage penetration testing strategies.
Detection Guidance
To detect potential exploitation of this vulnerability, organizations should monitor logs for StopTransaction messages that do not correlate with known transactions initiated by the same charger. Additionally, behavioral anomalies in transaction handling or unauthorized terminations should be flagged for further investigation.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2026-28230 lies in its representation of a broader trend in vulnerabilities related to improper access control mechanisms in connected devices. Security teams should take this as a lesson to continuously evaluate and improve their authentication and authorization processes to prevent similar vulnerabilities.
Organizations can benefit from reviewing their security posture by participating in comprehensive security assessments, such as application security assessments to identify weaknesses and improve their defenses.
Additionally, implementing continuous security monitoring can help organizations stay ahead of potential threats. For those interested in proactive measures, exploring options like continuous penetration testing may provide valuable insights and timely detection of vulnerabilities.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)