CVE-2026-28230

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without verifying that the requesting charger matches the charger that originally started the transaction. Any authenticated charger can terminate any other charger’s active session across the entire network. The root cause is in OcppServerRepositoryImpl.getTransaction() which queries only by transactionId with no chargeBoxId ownership check. The validator checks that the transaction exists and is not already stopped but never verifies identity. As an attacker controlling a single registered charger I could enumerate sequential transaction IDs and send StopTransaction messages targeting active sessions on every other charger on the network simultaneously. Combined with FINDING-014 (unauthenticated SOAP endpoints), no registered charger is even required — the attack is executable with a single curl command requiring only a known chargeBoxId. Commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contains a fix for the issue.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/steve-community/steve/commit/7f169c6c5b36a9c458ec41ce8af581972e5c724e	Patch
https://github.com/steve-community/steve/security/advisories/GHSA-6x38-4w7h-cwr8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:steve-community:steve:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 23:16

Updated : 2026-03-03 19:59

NVD link : CVE-2026-28230

Mitre link : CVE-2026-28230

CVE.ORG link : CVE-2026-28230

JSON object : View

Products Affected

steve-community

steve

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2026-28230", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T23:16:36.733", "references": [{"url": "https://github.com/steve-community/steve/commit/7f169c6c5b36a9c458ec41ce8af581972e5c724e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/steve-community/steve/security/advisories/GHSA-6x38-4w7h-cwr8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without verifying that the requesting charger matches the charger that originally started the transaction. Any authenticated charger can terminate any other charger\u2019s active session across the entire network. The root cause is in OcppServerRepositoryImpl.getTransaction() which queries only by transactionId with no chargeBoxId ownership check. The validator checks that the transaction exists and is not already stopped but never verifies identity. As an attacker controlling a single registered charger I could enumerate sequential transaction IDs and send StopTransaction messages targeting active sessions on every other charger on the network simultaneously. Combined with FINDING-014 (unauthenticated SOAP endpoints), no registered charger is even required \u2014 the attack is executable with a single curl command requiring only a known chargeBoxId. Commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contains a fix for the issue."}, {"lang": "es", "value": "SteVe es un sistema de gesti\u00f3n de estaciones de carga de veh\u00edculos el\u00e9ctricos de c\u00f3digo abierto. En versiones hasta la 3.11.0 inclusive, cuando un cargador env\u00eda un mensaje StopTransaction, SteVe busca la transacci\u00f3n \u00fanicamente por transactionId (un entero secuencial que comienza en 1) sin verificar que el cargador solicitante coincida con el cargador que inici\u00f3 originalmente la transacci\u00f3n. Cualquier cargador autenticado puede terminar la sesi\u00f3n activa de cualquier otro cargador en toda la red. La causa ra\u00edz se encuentra en OcppServerRepositoryImpl.getTransaction() que consulta \u00fanicamente por transactionId sin una verificaci\u00f3n de propiedad de chargeBoxId. El validador verifica que la transacci\u00f3n existe y no est\u00e1 ya detenida, pero nunca verifica la identidad. Como un atacante que controla un \u00fanico cargador registrado, podr\u00eda enumerar IDs de transacci\u00f3n secuenciales y enviar mensajes StopTransaction dirigidos a sesiones activas en todos los dem\u00e1s cargadores de la red simult\u00e1neamente. Combinado con FINDING-014 (endpoints SOAP no autenticados), ni siquiera se requiere un cargador registrado; el ataque es ejecutable con un solo comando curl que requiere solo un chargeBoxId conocido. El commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e contiene una soluci\u00f3n para el problema."}], "lastModified": "2026-03-03T19:59:51.990", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:steve-community:steve:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9013F4F8-9CF8-4EEA-AB1F-444A22F863F5", "versionEndIncluding": "3.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}