CVE-2026-22645 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Incoming Goods Suite product by SICK AG. The vulnerability arises because the application discloses comprehensive details about all used software components, including their versions and license information, to unauthenticated users. This information leakage occurs without requiring any authentication or user interaction, making it accessible to any remote attacker. Although the vulnerability does not directly allow modification or disruption of system operations, it significantly aids attackers by providing reconnaissance data that can be leveraged to identify and exploit known vulnerabilities in the disclosed components. The disclosed information can include third-party libraries or frameworks that may have publicly known exploits. The CVSS v3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact without affecting integrity or availability. No patches or exploits are currently reported, but the vulnerability's existence increases the attack surface and risk profile of affected systems. The vulnerability was published on January 15, 2026, and is relevant to all versions of the Incoming Goods Suite identified as version '0' in the data, which likely represents initial or early releases. The vulnerability is particularly concerning for environments where the Incoming Goods Suite is deployed in critical supply chain or industrial automation contexts, as attackers could use the disclosed information to craft targeted attacks against known component vulnerabilities.

For European organizations, especially those in manufacturing, logistics, and industrial automation sectors that utilize SICK AG's Incoming Goods Suite, this vulnerability poses a moderate risk. The exposure of detailed component and version information can facilitate targeted attacks by enabling adversaries to identify exploitable weaknesses in third-party components. This reconnaissance can lead to subsequent exploitation attempts that compromise system confidentiality, integrity, or availability. While the vulnerability itself does not directly cause data breaches or service disruption, it lowers the barrier for attackers to plan and execute more damaging attacks. Given the critical role of supply chain and goods management in European industries, successful exploitation of derived vulnerabilities could disrupt operations, cause financial losses, and damage reputations. Additionally, the vulnerability could be leveraged in multi-stage attacks involving lateral movement or privilege escalation within enterprise networks. The lack of authentication requirements increases the exposure risk, as attackers can gather sensitive system information remotely without needing credentials or user interaction.

To mitigate CVE-2026-22645, organizations should implement the following specific measures: 1) Restrict access to system and application metadata endpoints that disclose component and version information by enforcing strong access controls and authentication mechanisms. 2) Employ network segmentation and firewall rules to limit exposure of the Incoming Goods Suite management interfaces to trusted internal networks only. 3) Conduct thorough inventory and patch management of all third-party components used within the Incoming Goods Suite to ensure known vulnerabilities are remediated promptly. 4) Monitor logs and network traffic for unusual reconnaissance activities, such as repeated unauthenticated requests to metadata endpoints. 5) Engage with SICK AG for updates or patches addressing this vulnerability and apply them as soon as they become available. 6) Consider implementing Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) to detect and block attempts to access sensitive information endpoints. 7) Educate IT and security teams about the risks of information disclosure vulnerabilities and the importance of minimizing exposed system details. These steps go beyond generic advice by focusing on access control hardening, proactive monitoring, and component lifecycle management tailored to the specific nature of this vulnerability.