Cyber Resilience

CVE-2026-22644

Medium

Published: 15 January 2026

Published
15 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0003 9.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22644 is a medium-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Sick Incoming Goods Suite. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2026-22644 is a vulnerability in certain SICK products where authentication tokens are passed as string query parameters in URLs for specific requests. This exposure makes the tokens susceptible to theft through server logs, proxy logs, and Referer headers (CWE-598). Published on 2026-01-15, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact.

Any network-accessible attacker can exploit this without privileges, authentication, or user interaction by monitoring or accessing logs and headers where the tokens appear. Exploitation enables session hijacking, allowing the attacker to impersonate the user and gain unauthorized access to the affected system.

Mitigation details are provided in the SICK PSIRT advisory at https://sick.com/psirt and the associated CSAF documents, including https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf. Additional context is available from CISA ICS recommended practices at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices and the CVSS calculator at https://www.first.org/cvss/calculator/3.1.

EU & UK References

Vulnerability details

Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Direct exposure of auth tokens in URLs enables theft (T1539) and subsequent use for impersonation/session hijacking via alternate auth material or valid accounts (T1550.004, T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22646Same product: Sick Incoming Goods Suite
CVE-2026-22911Same vendor: Sick
CVE-2026-22908Same vendor: Sick
CVE-2026-22907Same vendor: Sick
CVE-2026-22910Same vendor: Sick
CVE-2026-22909Same vendor: Sick
CVE-2025-22387Shared CWE-598
CVE-2025-58587Same vendor: Sick
CVE-2026-22918Same vendor: Sick
CVE-2025-59461Same vendor: Sick

Affected Assets

sick
incoming goods suite
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires secure management and transmission of authenticators so tokens are never embedded in URLs where they can be captured in logs or Referer headers.

prevent

Mandates cryptographic protection of sensitive data (including session tokens) in transit, precluding exposure via query parameters.

prevent

Ensures session authenticity mechanisms do not rely on URL-embedded tokens that are trivially intercepted or replayed.

References