Platform
linux
Component
chargepoint-home-flex
Fixed in
5.5.5
CVE-2026-4157 is a critical Remote Code Execution (RCE) vulnerability affecting ChargePoint Home Flex devices running versions 5.5.4.13 through 5.5.4.13. This flaw allows a network-adjacent attacker to execute arbitrary code without authentication, potentially leading to complete system compromise. The vulnerability stems from insufficient input validation within the OCPP message handling process, and a fix is available from ChargePoint.
The impact of CVE-2026-4157 is severe due to the ease of exploitation and the potential for complete system takeover. An attacker can leverage this vulnerability to execute arbitrary code in the context of root on the ChargePoint Home Flex device. This could allow them to steal sensitive data, modify device settings, disrupt charging operations, or even use the compromised device as a pivot point to attack other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2026-4157 was disclosed on 2026-04-11. The vulnerability was reported to ChargePoint as ZDI-CAN-26338. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation suggests a high probability of exploitation if a POC is released. The vulnerability is not currently listed on CISA KEV, but its severity warrants monitoring.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4157 is to upgrade ChargePoint Home Flex devices to a patched version as soon as it becomes available from ChargePoint. Until the upgrade is possible, consider segmenting the network to limit the attacker's potential reach if the device is compromised. Network firewalls should be configured to restrict external access to the device's OCPP port. Monitor network traffic for suspicious OCPP messages, particularly those containing unusual or unexpected characters. While a direct WAF rule is unlikely, a proxy can be configured to inspect OCPP traffic for command injection patterns.
Update the ChargePoint Home Flex device to a patched version. Refer to the manufacturer's documentation or website for specific instructions on how to update the device's firmware.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4157 is a Remote Code Execution vulnerability in ChargePoint Home Flex devices, allowing attackers to execute code without authentication.
You are affected if you are using ChargePoint Home Flex versions 5.5.4.13–5.5.4.13. Upgrade to a patched version as soon as possible.
Upgrade your ChargePoint Home Flex device to a patched version released by ChargePoint. Monitor ChargePoint's security advisories for updates.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation if a POC is released.
Refer to ChargePoint's security advisories page for the latest information and updates regarding CVE-2026-4157.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.