Description
ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.
Published: 2026-04-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure leading to credential exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the genpw script of ChargePoint Home Flex charging stations, which includes a secret cryptographic seed value. Because the seed is exposed in the script, an attacker who can access the device can retrieve stored credentials without authentication, compromising the confidentiality of the system. This flaw is a classic instance of source code information disclosure (CWE‑540).

Affected Systems

The affected product is ChargePoint Home Flex. No specific firmware or software version ranges are supplied in the advisory, so any installation using the genpw script is potentially vulnerable unless a patch has been applied.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The exploitation does not require authentication and a remote attacker can trigger the disclosure by accessing the station through its management interface or network. EPSS data is unavailable, but the lack of KEV listing suggests that widespread exploitation is not yet documented. Nevertheless, the combination of high severity and remote attackability means the risk is significant for operators who have not yet updated their devices.

Generated by OpenCVE AI on April 11, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the ChargePoint website or support contact for any available firmware or software updates that remove the exposed seed from the genpw script.
  • If a patch is not yet released, locate the genpw script on the device’s filesystem and remove or redact the embedded seed value before the script is made accessible to users.
  • Apply any interim security controls, such as restricting network access to the charging station’s management ports, disabling unnecessary services, and monitoring logs for attempts to read the script file.
  • After remediation, verify that no sensitive data remains in accessible scripts and conduct a secondary scan to confirm the vulnerability has been remediated.

Generated by OpenCVE AI on April 11, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Chargepoint home Flex Cph50
Chargepoint home Flex Cph50 Firmware
CPEs cpe:2.3:h:chargepoint:home_flex_cph50:-:*:*:*:*:*:*:*
cpe:2.3:o:chargepoint:home_flex_cph50_firmware:*:*:*:*:*:*:*:*
Vendors & Products Chargepoint home Flex Cph50
Chargepoint home Flex Cph50 Firmware

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chargepoint
Chargepoint home Flex
Vendors & Products Chargepoint
Chargepoint home Flex

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.
Title ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability
Weaknesses CWE-540
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Chargepoint Home Flex Home Flex Cph50 Home Flex Cph50 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-13T17:23:38.780Z

Reserved: 2026-03-13T20:33:53.560Z

Link: CVE-2026-4155

cve-icon Vulnrichment

Updated: 2026-04-13T17:23:34.981Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:17.230

Modified: 2026-04-27T17:42:30.567

Link: CVE-2026-4155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:56Z

Weaknesses