Skip to main content

Home Flex CVE-2026-4155

| EUVDEUVD-2026-21639 HIGH
Inclusion of Sensitive Information in Source Code (CWE-540)
2026-04-11 zdi GHSA-69j2-hc78-98c7
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 17:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21639
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.

AnalysisAI

Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.

Technical ContextAI

CWE-540 violation: genpw script contains hardcoded cryptographic seed value used for credential generation/derivation. Deterministic seed enables attackers to reproduce cryptographic operations, effectively reversing password protection mechanisms. CVSS vector AV:N/AC:L/PR:N indicates remotely accessible code with no complexity barriers.

RemediationAI

No vendor-released patch identified at time of analysis. Primary mitigation requires ChargePoint to release firmware update removing hardcoded seed and implementing secure random seed generation per cryptographic best practices. Interim workarounds: (1) isolate affected charging stations on dedicated network segment with strict firewall rules blocking unauthorized remote access; (2) monitor network traffic for abnormal credential access patterns; (3) implement network-level authentication (802.1X) if supported; (4) disable remote management features until patch deployment. Consult ZDI advisory for disclosure timeline and vendor coordination status: https://www.zerodayinitiative.com/advisories/ZDI-26-195/. Organizations should contact ChargePoint support for patch availability and apply updates immediately upon release.

Share

CVE-2026-4155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy