CVE-2026-22644
Published: 15 January 2026
Summary
CVE-2026-22644 is a medium-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Sick Incoming Goods Suite. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2026-22644 is a vulnerability in certain SICK products where authentication tokens are passed as string query parameters in URLs for specific requests. This exposure makes the tokens susceptible to theft through server logs, proxy logs, and Referer headers (CWE-598). Published on 2026-01-15, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact.
Any network-accessible attacker can exploit this without privileges, authentication, or user interaction by monitoring or accessing logs and headers where the tokens appear. Exploitation enables session hijacking, allowing the attacker to impersonate the user and gain unauthorized access to the affected system.
Mitigation details are provided in the SICK PSIRT advisory at https://sick.com/psirt and the associated CSAF documents, including https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf. Additional context is available from CISA ICS recommended practices at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices and the CVSS calculator at https://www.first.org/cvss/calculator/3.1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2798
Vulnerability details
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exposure of auth tokens in URLs enables theft (T1539) and subsequent use for impersonation/session hijacking via alternate auth material or valid accounts (T1550.004, T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires secure management and transmission of authenticators so tokens are never embedded in URLs where they can be captured in logs or Referer headers.
Mandates cryptographic protection of sensitive data (including session tokens) in transit, precluding exposure via query parameters.
Ensures session authenticity mechanisms do not rely on URL-embedded tokens that are trivially intercepted or replayed.