How is CVE-2026-50890 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the grocy web service via HTTP/HTTPS. Authentication (not-required): No account or session credential is needed; the injection point is accessible to anonymous requests. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free, requiring only a crafted SQL payload in the product-group parameter with no race conditions or environmental dependencies.

What is the impact of CVE-2026-50890?

Reads sensitive database records including user data, inventory entries, and any credentials or tokens stored in the grocy database. Modifies or deletes persisted database rows, enabling corruption of stock and spending records. May expose configuration values or secrets stored in database tables, widening the attack surface beyond grocy itself. Depending on database server configuration, may allow file-system reads or further lateral movement through the host environment.

Back to search

CRITICALCVE-2026-50890Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50890: Bernd Bestel grocy v4

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in Bernd Bestel grocy v4.6.0 allows an unauthenticated attacker to manipulate database queries through the product-group parameter at the /stockreports/spendings endpoint. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives the attacker direct read and write access to the underlying database, enabling theft of sensitive records and potential data tampering. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-50890 is available across all HarborGuard environments. Ingestion from upstream feeds occurs within minutes of publication, and matching against images in customer registries, CI pipelines, and custom-built image layers is performed automatically at each scan cycle.

Available

Triage

Triage capability is available with the CVSS 9.8 Critical score surfaced alongside per-environment compliance policy weighting, so teams operating stricter policies see this flagged at the highest priority. Routing to the appropriate team inbox within each customer organization is handled automatically based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a fix, including triggering the auto-remediation flow for customers who have it enabled.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the grocy web service via HTTP/HTTPS.
AuthenticationNot required
No account or session credential is needed; the injection point is accessible to anonymous requests.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring only a crafted SQL payload in the product-group parameter with no race conditions or environmental dependencies.

Blast Radius

Reads sensitive database records including user data, inventory entries, and any credentials or tokens stored in the grocy database.
Modifies or deletes persisted database rows, enabling corruption of stock and spending records.
May expose configuration values or secrets stored in database tables, widening the attack surface beyond grocy itself.
Depending on database server configuration, may allow file-system reads or further lateral movement through the host environment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity (CVSS 9.8) for any customer image found to include grocy v4.6.0. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as the grocy project releases a remediated version. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention. In the interim, compensating controls worth evaluating include network-policy rules that restrict access to the /stockreports/spendings endpoint to trusted IP ranges only, egress filtering to limit what the database process can reach if SQL-based file-system access is a concern, and a web application firewall rule that blocks or logs requests containing SQL metacharacters in the product-group parameter.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

gist.github.com

Metrics

Get notified