CVE-2026-22644 identifies a security weakness in the SICK AG Incoming Goods Suite where authentication tokens are transmitted as query parameters in HTTP GET requests. This method of token transmission violates secure design principles because URLs are commonly logged by web servers, proxies, and can be leaked via the Referer HTTP header when users navigate to other sites. An attacker with access to these logs or network traffic can extract the token and impersonate the legitimate user, gaining unauthorized access to the system. The vulnerability is classified under CWE-598, which concerns the use of GET requests with sensitive query strings. The CVSS 3.1 base score of 5.3 reflects a medium severity, with network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact (token theft). No integrity or availability impacts are noted. The vulnerability affects all versions of the Incoming Goods Suite, indicating a systemic design flaw rather than a version-specific bug. No patches or fixes have been published yet, and no known exploits have been observed in the wild, but the risk remains due to the ease of token interception and session hijacking potential.

For European organizations, especially those in manufacturing, logistics, and supply chain management using SICK AG's Incoming Goods Suite, this vulnerability poses a risk of unauthorized access to sensitive operational systems. Attackers who obtain authentication tokens can hijack sessions, potentially leading to data exposure or manipulation of incoming goods records. Although the vulnerability does not directly impact system integrity or availability, unauthorized access could facilitate further attacks or data leakage. The exposure of tokens in URLs also increases the risk of insider threats or accidental leaks through shared logs. Given the critical role of supply chain systems in European industry, exploitation could disrupt operations or compromise sensitive business information. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the threat landscape for affected organizations.

Organizations should immediately review and modify their use of the Incoming Goods Suite to ensure authentication tokens are never transmitted via URL query parameters. Instead, tokens should be passed securely in HTTP headers or POST request bodies. Network monitoring should be enhanced to detect unusual access patterns or token reuse indicative of session hijacking. Access to server and proxy logs must be tightly controlled and regularly audited to prevent unauthorized access. If possible, implement short-lived tokens and enforce token expiration to limit the window of exploitation. Organizations should also engage with SICK AG to request patches or updated versions that address this design flaw. Additionally, consider deploying web application firewalls (WAFs) to detect and block suspicious requests involving token leakage. User training on secure session handling and awareness of phishing or social engineering attempts can further reduce risk.