CVE-2026-22646
Published: 15 January 2026
Summary
CVE-2026-22646 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Sick Incoming Goods Suite. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects error messages that leak sensitive information as evidence of disclosure.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.
Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.
Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.
Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Error-triggered leakage of file paths, DB errors, and software versions directly enables passive system/software information discovery by low-privileged authenticated users.
NVD Description
Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the…
more
application's internal structure and discover other, more critical vulnerabilities.
Deeper analysisAI
CVE-2026-22646 is an information disclosure vulnerability (CWE-209) in certain applications from SICK, where error messages expose internal system details such as file paths, database errors, or software versions that should remain hidden from end users. This leakage enables attackers to perform reconnaissance by mapping the application's internal structure and identifying potential paths to more severe vulnerabilities. The issue carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and was published on 2026-01-15.
Attackers with low-privilege access, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction. By deliberately triggering error conditions in the application, they obtain sensitive reconnaissance data, which provides insights into the system's architecture but does not allow direct confidentiality, integrity, or availability impacts beyond low-level information exposure.
SICK's PSIRT advisory at https://sick.com/psirt and the associated CSAF provider document sca-2026-0002 (available as JSON at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json and PDF at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf) detail mitigation steps. Additional guidance on ICS recommended practices is available from CISA at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices.
Details
- CWE(s)