CVE-2026-22646
Published: 15 January 2026
Summary
CVE-2026-22646 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Sick Incoming Goods Suite. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-22646 is an information disclosure vulnerability (CWE-209) in certain applications from SICK, where error messages expose internal system details such as file paths, database errors, or software versions that should remain hidden from end users. This leakage enables attackers to perform reconnaissance by mapping the application's internal structure and identifying potential paths to more severe vulnerabilities. The issue carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and was published on 2026-01-15.
Attackers with low-privilege access, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction. By deliberately triggering error conditions in the application, they obtain sensitive reconnaissance data, which provides insights into the system's architecture but does not allow direct confidentiality, integrity, or availability impacts beyond low-level information exposure.
SICK's PSIRT advisory at https://sick.com/psirt and the associated CSAF provider document sca-2026-0002 (available as JSON at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json and PDF at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf) detail mitigation steps. Additional guidance on ICS recommended practices is available from CISA at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2793
Vulnerability details
Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the…
more
application's internal structure and discover other, more critical vulnerabilities.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Error-triggered leakage of file paths, DB errors, and software versions directly enables passive system/software information discovery by low-privileged authenticated users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires error messages to avoid exposing internal details (paths, versions, DB errors) that enable reconnaissance.
Filters sensitive information in all outputs, including error responses, before they reach external users.
Enforces information-flow policies that can block leakage of internal system details through application responses.