CVE-2024-55075 is a vulnerability identified in the Grocy project, a popular open-source inventory and household management system, affecting versions up to 4.3.0. The vulnerability is classified under CWE-425, which pertains to Direct Request or Forced Browsing attacks. In this scenario, an attacker with low privileges can craft direct HTTP requests to access internal pages that are not exposed through the application's user interface, such as calendar and recipe pages. These pages may contain sensitive information that should not be accessible without proper authorization or navigation flow. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). However, it requires at least low privileges (PR:L), meaning the attacker must have some level of authenticated access, though not necessarily administrative rights. The impact is limited to confidentiality (C:L) with no effect on integrity or availability. No known exploits have been reported in the wild, and no official patches have been released at the time of this analysis. The vulnerability arises from insufficient access control checks on certain endpoints, allowing unauthorized enumeration or viewing of sensitive data by bypassing the intended UI navigation and access restrictions.

The primary impact of CVE-2024-55075 is unauthorized disclosure of sensitive information stored within Grocy, such as calendar entries and recipe details. While this does not affect data integrity or system availability, the leakage of confidential information could lead to privacy violations or give attackers insights into user behavior and system usage. For organizations using Grocy in environments handling sensitive operational data—such as healthcare facilities managing medical supplies, hospitality businesses managing inventory, or supply chain operations—this information disclosure could facilitate further targeted attacks or social engineering. The requirement for low-level privileges reduces the risk somewhat but does not eliminate it, especially in environments where user accounts are shared or weakly controlled. The lack of known exploits and patches means organizations may be exposed until a fix is available, increasing the window of vulnerability.

To mitigate CVE-2024-55075, organizations should implement strict access control policies to ensure that only authorized users can access sensitive endpoints, even if accessed directly via URL. This includes enforcing role-based access controls (RBAC) within Grocy and validating user permissions on the server side for all endpoints, not just those linked in the UI. Network segmentation and firewall rules can restrict access to Grocy instances to trusted internal networks or VPN users only. Monitoring and logging access to sensitive pages can help detect unauthorized attempts to exploit forced browsing. Until an official patch is released, consider disabling or restricting access to non-UI-exposed pages if feasible. Regularly update Grocy to the latest versions once patches addressing this vulnerability become available. Additionally, educate users about the risks of sharing credentials and enforce strong authentication mechanisms to reduce the likelihood of low-privilege account compromise.