Description
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.
Published: 2026-01-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Session Hijack
Action: Apply Mitigation
AI Analysis

Impact

Requests in the product embed authentication tokens in the URL query parameter, which can be captured by logs, proxy servers, or Referer headers. This leakage enables attackers to steal the token, potentially hijack the user’s session, and gain unauthorized access to the system. The vulnerability arises from improper handling of authentication credentials in the URL and can lead to confidentiality loss and unauthorized operations.

Affected Systems

SICK AG Incoming Goods Suite is affected. No specific version information is disclosed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk. The EPSS score is below 1%, suggesting low current exploitation probability. The vulnerability is not listed in KEV, indicating no known exploit in the wild. Attackers would need to observe or capture traffic that includes the URL containing the token, which is feasible on unencrypted channels or when logs are improperly secured. The impact is limited to session hijack, but once hijacked, attackers could gain unrestricted access to the device functions.

Generated by OpenCVE AI on April 18, 2026 at 06:07 UTC.

Remediation

Vendor Workaround

Please make sure that logs exclude informative level and are stored in a secure way. For more information please follow the official Microsoft Security Considerations document for .NET: https://learn.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-9.0#access-token-logging Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources ”SICK Operating Guidelines” and ”ICS-CERT recommended practices on Industrial Security” could help to implement the general security practices.

OpenCVE Recommended Actions

  • Configure the system so that authentication tokens are never logged or displayed in query parameters, following secure logging guidelines and disabling logging of sensitive request data.
  • Restrict device/network access to trusted entities only, ensuring that only authenticated users can communicate with the system.
  • Apply SICK Operating Guidelines and other industry best practices for secure device configuration, secure log storage, and network segmentation to mitigate the risk of credential exposure.

Generated by OpenCVE AI on April 18, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Token Leakage via URL Parameter Enabling Session Hijack

Thu, 29 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick incoming Goods Suite
CPEs cpe:2.3:a:sick:incoming_goods_suite:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick incoming Goods Suite

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag incoming Goods Suite
Vendors & Products Sick Ag
Sick Ag incoming Goods Suite

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.
Weaknesses CWE-598
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sick Incoming Goods Suite
Sick Ag Incoming Goods Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T14:52:44.218Z

Reserved: 2026-01-08T09:59:06.199Z

Link: CVE-2026-22644

cve-icon Vulnrichment

Updated: 2026-01-15T14:48:15.128Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T14:16:28.163

Modified: 2026-01-29T17:23:06.450

Link: CVE-2026-22644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses