CVE-2026-33014 MEDIUM

CVE-2026-33014: EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop

Vendor Everest

Product everest-core

Weakness CWE-863 · Incorrect authorization

Published March 26, 2026

Last update March 26, 2026

View on NVD All CVEs

CVSS base score

5.2/10

Attack vector Physical

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch.

Key dates

02Disclosure timeline

March 26, 2026 CVE published

March 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33014 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-33014: EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop

01Description

02Disclosure timeline

03References

04Related CVE