CVE-2026-4155
Published: 11 April 2026
Summary
CVE-2026-4155 is a high-severity Inclusion of Sensitive Information in Source Code (CWE-540) vulnerability in Chargepoint Home Flex Cph50 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21639
Vulnerability details
ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The…
more
specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated disclosure of hardcoded cryptographic seed enabling credential access on public-facing device.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detection and removal of spilled information addresses cases where sensitive data was included in source code.
Screening helps prevent intentional insertion of sensitive information into source code by untrusted developers.
Prevents inclusion of sensitive information in source code and development artifacts through SDLC-wide OPSEC controls.