Cyber Posture

CVE-2026-22644

Medium

Published: 15 January 2026

Published
15 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0003 8.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22644 is a medium-severity Use of GET Request Method With Sensitive Query Strings (CWE-598) vulnerability in Sick Incoming Goods Suite. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Steal Web Session Cookie (T1539) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-9 Transmission Confidentiality
addresses: CWE-598

Protects sensitive data placed in query strings from interception in transit when confidentiality controls like HTTPS are enforced.

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Direct exposure of auth tokens in URLs enables theft (T1539) and subsequent use for impersonation/session hijacking via alternate auth material or valid accounts (T1550.004, T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.

Deeper analysisAI

CVE-2026-22644 is a vulnerability in certain SICK products where authentication tokens are passed as string query parameters in URLs for specific requests. This exposure makes the tokens susceptible to theft through server logs, proxy logs, and Referer headers (CWE-598). Published on 2026-01-15, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact.

Any network-accessible attacker can exploit this without privileges, authentication, or user interaction by monitoring or accessing logs and headers where the tokens appear. Exploitation enables session hijacking, allowing the attacker to impersonate the user and gain unauthorized access to the affected system.

Mitigation details are provided in the SICK PSIRT advisory at https://sick.com/psirt and the associated CSAF documents, including https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf. Additional context is available from CISA ICS recommended practices at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices and the CVSS calculator at https://www.first.org/cvss/calculator/3.1.

Details

CWE(s)
CWE-598

Affected Products

sick
incoming goods suite
all versions

CVEs Like This One

CVE-2026-22646Same product: Sick Incoming Goods Suite
CVE-2026-22911Same vendor: Sick
CVE-2026-22917Same vendor: Sick
CVE-2026-1626Same vendor: Sick
CVE-2025-58587Same vendor: Sick
CVE-2026-22910Same vendor: Sick
CVE-2025-22387Shared CWE-598
CVE-2026-22918Same vendor: Sick
CVE-2026-22907Same vendor: Sick
CVE-2026-22908Same vendor: Sick

References