ZDI 2026-03-16

ZDI-26-195: (Pwn2Own) ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability

CVE-2026-4155

Machine-generated analysis · WAYSCloud LLM

The vulnerability allows unauthorized remote disclosure of sensitive information from ChargePoint Home Flex charging stations without authentication.

Context

The advisory describes an information disclosure vulnerability in ChargePoint Home Flex charging stations. The source indicates the vulnerability exposes sensitive information and does not require authentication for exploitation.

Operator considerations

Check: Inventory ChargePoint Home Flex charging station deployments
Isolate: Consider network segmentation for charging stations until mitigation is available

From Zero Day Initiative ↗

This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-4155.

Read the full advisory on ZDI →