Medium severity5.0NVD Advisory· Published Mar 26, 2026· Updated Mar 31, 2026

CVE-2026-29044

Description

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transaction_active=false and only calls withdraw_authorization_callback. This path ultimately calls Charger::deauthorize(), but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.

Affected products

Linux Foundation/Everest
cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Range: <2026.02.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/EVerest/EVerest/security/advisories/GHSA-gx37-p775-qf5vnvdExploitVendor Advisory

News mentions

The State of Ransomware – Q1 2026
Check Point Research · May 11, 2026
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)
Wordfence Blog · Apr 30, 2026
Feuding Ransomware Groups Leak Each Other's Data
Dark Reading · Apr 28, 2026
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)
Wordfence Blog · Apr 16, 2026
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)
Wordfence Blog · Apr 9, 2026

cvss	0.325
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000