CVE-2026-22641 is an improper authorization vulnerability (CWE-285) found in SICK AG's Incoming Goods Suite, which integrates Grafana's datasource proxy API for monitoring purposes. The vulnerability arises because the authorization mechanism can be bypassed by manipulating the URL path, specifically by adding an extra slash character. This bypass allows users with minimal privileges to gain unauthorized read access to GET endpoints within Alertmanager and Prometheus datasources. These datasources implement route-specific permissions to restrict access, but the flaw undermines these controls, exposing potentially sensitive monitoring data. The vulnerability affects versions identified as '0' (likely indicating initial or early versions) and was published on January 15, 2026. The CVSS v3.1 base score is 5.0 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and a scope change with limited confidentiality impact. No known exploits have been reported, and no patches are currently available. The vulnerability does not affect data integrity or availability but compromises confidentiality by exposing read-only data that should be restricted. The issue is significant for environments relying on Grafana-based monitoring integrated with SICK AG’s suite, especially where sensitive operational data is monitored.

For European organizations, the impact centers on unauthorized disclosure of monitoring data from Alertmanager and Prometheus datasources within the Incoming Goods Suite environment. This could lead to exposure of operational metrics, alerting information, and potentially sensitive infrastructure details that adversaries could use for reconnaissance or to plan further attacks. While the vulnerability does not allow modification or disruption of data, the confidentiality breach could undermine trust in monitoring systems and reveal internal process details. Industries such as manufacturing, logistics, and industrial automation—where SICK AG products are commonly deployed—could face increased risk of targeted espionage or competitive intelligence gathering. The medium severity rating reflects the limited scope of impact but highlights the importance of protecting monitoring data in critical infrastructure environments prevalent across Europe.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the Incoming Goods Suite and Grafana datasource proxy API to trusted internal networks and VPNs only. 2) Implementing strict firewall rules and web application firewall (WAF) policies to detect and block URL path anomalies such as extra slashes. 3) Enhancing authentication and authorization monitoring to detect unusual access patterns or privilege escalations. 4) Conducting thorough audits of user permissions to ensure minimal necessary access is granted. 5) Monitoring logs for unauthorized read attempts on Alertmanager and Prometheus endpoints. 6) Planning for rapid deployment of vendor patches once available and coordinating with SICK AG for updates. 7) Considering temporary disabling or isolating vulnerable datasource integrations if feasible. These targeted measures go beyond generic advice by focusing on network-level controls, anomaly detection, and strict access governance specific to this vulnerability’s exploitation vector.