Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Unauthenticated access to sensitive AppEngine file areas via HTTP
CVE-2026-2331
Summary
An attacker can access and edit sensitive files without a password, including customer passwords and app settings. This could lead to unauthorized changes to the app's behavior and potentially allow malicious code to run. Update the app to fix the vulnerability and ensure proper access controls are in place.
Original title
An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem dir...
Original description
An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.
nvd CVSS3.1
9.8
Vulnerability type
CWE-552
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.json
- https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.pdf
- https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guid...
- https://www.sick.com/psirt
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026