CVE-2026-28230

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without verifying that the requesting charger matches the charger that originally started the transaction. Any authenticated charger can terminate any other charger’s active session across the entire network. The root cause is in OcppServerRepositoryImpl.getTransaction() which queries only by transactionId with no chargeBoxId ownership check. The validator checks that the transaction exists and is not already stopped but never verifies identity. As an attacker controlling a single registered charger I could enumerate sequential transaction IDs and send StopTransaction messages targeting active sessions on every other charger on the network simultaneously. Combined with FINDING-014 (unauthenticated SOAP endpoints), no registered charger is even required — the attack is executable with a single curl command requiring only a known chargeBoxId. Commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contains a fix for the issue.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/steve-community/steve/commit/7f169c6c5b36a9c458ec41ce8af581972e5c724e	Patch
https://github.com/steve-community/steve/security/advisories/GHSA-6x38-4w7h-cwr8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:steve-community:steve:*:*:*:*:*:*:*:*

History

03 Mar 2026, 19:59

Type	Values Removed	Values Added
First Time		Steve-community steve Steve-community
CPE		cpe:2.3:a:steve-community:steve::::::::
References	~~() https://github.com/steve-community/steve/commit/7f169c6c5b36a9c458ec41ce8af581972e5c724e -~~	() https://github.com/steve-community/steve/commit/7f169c6c5b36a9c458ec41ce8af581972e5c724e - Patch
References	~~() https://github.com/steve-community/steve/security/advisories/GHSA-6x38-4w7h-cwr8 -~~	() https://github.com/steve-community/steve/security/advisories/GHSA-6x38-4w7h-cwr8 - Vendor Advisory
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.3

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) SteVe es un sistema de gestión de estaciones de carga de vehículos eléctricos de código abierto. En versiones hasta la 3.11.0 inclusive, cuando un cargador envía un mensaje StopTransaction, SteVe busca la transacción únicamente por transactionId (un entero secuencial que comienza en 1) sin verificar que el cargador solicitante coincida con el cargador que inició originalmente la transacción. Cualquier cargador autenticado puede terminar la sesión activa de cualquier otro cargador en toda la red. La causa raíz se encuentra en OcppServerRepositoryImpl.getTransaction() que consulta únicamente por transactionId sin una verificación de propiedad de chargeBoxId. El validador verifica que la transacción existe y no está ya detenida, pero nunca verifica la identidad. Como un atacante que controla un único cargador registrado, podría enumerar IDs de transacción secuenciales y enviar mensajes StopTransaction dirigidos a sesiones activas en todos los demás cargadores de la red simultáneamente. Combinado con FINDING-014 (endpoints SOAP no autenticados), ni siquiera se requiere un cargador registrado; el ataque es ejecutable con un solo comando curl que requiere solo un chargeBoxId conocido. El commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contiene una solución para el problema.

26 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 23:16

Updated : 2026-03-03 19:59

NVD link : CVE-2026-28230

Mitre link : CVE-2026-28230

CVE.ORG link : CVE-2026-28230

JSON object : View

Products Affected

steve-community

steve

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

6.3 /10