CVE-2026-4155 HIGH

CVE-2026-4155: ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability

Vendor Chargepoint
Product Home Flex
Weakness CWE-540
Published April 11, 2026
Last update April 13, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.

Key dates

02Disclosure timeline

April 11, 2026 CVE published
April 13, 2026 Record updated