(CVE‑2026‑4155) ChargePoint Home Flex Sensitive Information Disclosure Vulnerability
What It Is – A source‑code information‑disclosure flaw in the genpw script of ChargePoint’s Home Flex EV‑charging station. The script embeds a secret cryptographic seed, allowing anyone on the Internet to retrieve stored credentials without authentication.
Exploitability – The vulnerability is network‑accessible (AV:N), requires no privileges (PR:N) or user interaction (UI:N). A public PoC exists in the advisory; CVSS 7.5 (High). No known active ransomware or worm, but the exposed credentials can be leveraged for further compromise of charging‑network management systems.
Affected Products – ChargePoint Home Flex charging stations (all firmware prior to CPH50 5.5.4.22).
TPRM Impact –
- Third‑party EV‑charging infrastructure may expose fleet‑operator credentials, creating a supply‑chain foothold.
- Compromise of a charging station can cascade to the vendor’s cloud‑based management platform, affecting multiple customers.
Recommended Actions –
- Verify firmware version; upgrade immediately to CPH50 5.5.4.22 or later.
- Conduct an inventory of all ChargePoint Home Flex units across the organization and any downstream partners.
- Rotate any credentials stored on the devices and on the associated management portal.
- Review network segmentation; isolate charging stations from critical corporate assets.
- Add the CVE to your vulnerability‑management feed and monitor for any anomalous traffic to the
genpwendpoint.