CVE-2026-22639 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Incoming Goods Suite product by SICK AG. The root cause lies in the Grafana Alerting DingDing integration component, which was not adequately protected, allowing users with Viewer-level permissions to access sensitive alerting information that should be restricted. Grafana is widely used for monitoring and observability, and the DingDing integration is a notification channel for alerts. The vulnerability allows unauthorized actors with limited privileges to gain access to potentially sensitive monitoring data, which could include operational metrics or alert details that may aid in further attacks or leak confidential business information. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based with low complexity, requiring privileges but no user interaction, and impacts confidentiality only. The vulnerability was publicly disclosed on January 15, 2026, with fixed versions released starting from 10.4.19+security-01 and subsequent versions. No public exploits have been reported yet, but the exposure risk remains significant for organizations relying on this integration. The vulnerability does not affect integrity or availability, but the confidentiality breach could have operational and reputational consequences.

For European organizations, the exposure of sensitive monitoring and alerting information could lead to several risks, including leakage of operational insights, internal process details, or security alert data. This information could be leveraged by attackers to plan more targeted attacks or gain competitive intelligence. Industries relying on SICK AG’s Incoming Goods Suite, such as manufacturing, logistics, and supply chain operations, may face operational disruptions if sensitive data is exposed. Additionally, exposure of monitoring data could violate GDPR requirements concerning data confidentiality and security, potentially leading to regulatory penalties. The impact is primarily on confidentiality, but the indirect consequences could affect business continuity and trust. Organizations with complex supply chain monitoring setups integrating Grafana and DingDing notifications are particularly at risk. Since the vulnerability requires at least Viewer permissions, insider threats or compromised low-privilege accounts could exploit this flaw.

European organizations should immediately verify if they are running vulnerable versions of SICK AG Incoming Goods Suite with the Grafana Alerting DingDing integration. Applying the vendor-provided patches starting from versions 10.4.19+security-01 and later is critical. In addition to patching, organizations should audit and restrict Viewer permissions to only trusted users, minimizing the risk of unauthorized data exposure. Implement strict access controls and monitoring on Grafana instances, especially those integrated with alerting channels like DingDing. Network segmentation and limiting exposure of monitoring platforms to internal networks can reduce attack surface. Regularly review and update alerting configurations to ensure sensitive information is not unnecessarily exposed. Employ anomaly detection to identify unusual access patterns to monitoring data. Finally, ensure compliance with GDPR by documenting the vulnerability management process and data protection measures.