CVE-2026-50890
Deferred Deferred - Pending Action

SQL Injection in grocy Stock Reports

Vulnerability report for CVE-2026-50890, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bernd_bestel grocy 4.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in Grocy v4.6.0 allows attackers to access sensitive database information by injecting arbitrary SQL commands. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive information.

Specifically, if the compromised database contains personal or health-related data, the vulnerability could result in unauthorized disclosure or modification of such data, thereby breaching compliance requirements for confidentiality, integrity, and security.

Executive Summary

CVE-2026-50890 is an authenticated SQL injection vulnerability found in Grocy version 4.6.0. It occurs in the stock spending report feature at the "/stockreports/spendings" endpoint when the "product-group" parameter is used. The application fails to properly validate or parameterize this input and directly concatenates it into the SQL WHERE clause. This allows an attacker who is logged in to inject arbitrary SQL commands into the database query.

As a result, attackers can read or modify data accessible through the application's SQLite database connection by crafting malicious SQL statements.

Impact Analysis

This vulnerability can allow an authenticated attacker to access sensitive database information by injecting arbitrary SQL commands. Depending on the database permissions and the injected SQL, the attacker may be able to read confidential data or modify it.

Although code execution via custom include paths was not confirmed, the ability to manipulate or extract data from the database can lead to data breaches, unauthorized data disclosure, and potential disruption of application functionality.

Detection Guidance

This vulnerability can be detected by testing the /stockreports/spendings endpoint with the "product-group" parameter for SQL injection. Specifically, an authenticated user can attempt to inject SQL commands via the "product-group" parameter to see if the application improperly concatenates input into the SQL query.

A proof-of-concept involves injecting SQLite functions such as sqlite_version() or pragma_database_list to confirm the vulnerability.

Example command using curl (assuming authentication cookie or token is set):

  • curl -i -X GET 'https://[target]/stockreports/spendings?group-by=product&product-group=1' -H 'Cookie: session=[your_session]'
  • Modify the product-group parameter to include SQL injection payloads like: 1' UNION SELECT sqlite_version()--

If the response contains database version information or other unexpected data, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected endpoint to only trusted authenticated users, as the vulnerability requires authentication.

Additionally, review and update the application code to properly validate and parameterize the "product-group" input to prevent SQL injection.

If a patch or updated version of Grocy addressing this vulnerability is available, apply it as soon as possible.

As a temporary measure, monitor logs for suspicious activity involving the /stockreports/spendings endpoint and consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the "product-group" parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart