Executive Summary

CVE-2026-50890 is an authenticated SQL injection vulnerability found in Grocy version 4.6.0. It occurs in the stock spending report feature at the "/stockreports/spendings" endpoint when the "product-group" parameter is used. The application fails to properly validate or parameterize this input and directly concatenates it into the SQL WHERE clause. This allows an attacker who is logged in to inject arbitrary SQL commands into the database query.

As a result, attackers can read or modify data accessible through the application's SQLite database connection by crafting malicious SQL statements.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated attacker to access sensitive database information by injecting arbitrary SQL commands. Depending on the database permissions and the injected SQL, the attacker may be able to read confidential data or modify it.

Although code execution via custom include paths was not confirmed, the ability to manipulate or extract data from the database can lead to data breaches, unauthorized data disclosure, and potential disruption of application functionality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /stockreports/spendings endpoint with the "product-group" parameter for SQL injection. Specifically, an authenticated user can attempt to inject SQL commands via the "product-group" parameter to see if the application improperly concatenates input into the SQL query.

A proof-of-concept involves injecting SQLite functions such as sqlite_version() or pragma_database_list to confirm the vulnerability.

Example command using curl (assuming authentication cookie or token is set):

• curl -i -X GET 'https://[target]/stockreports/spendings?group-by=product&product-group=1' -H 'Cookie: session=[your_session]'
• Modify the product-group parameter to include SQL injection payloads like: 1' UNION SELECT sqlite_version()--

If the response contains database version information or other unexpected data, it indicates the presence of the SQL injection vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected endpoint to only trusted authenticated users, as the vulnerability requires authentication.

Additionally, review and update the application code to properly validate and parameterize the "product-group" input to prevent SQL injection.

If a patch or updated version of Grocy addressing this vulnerability is available, apply it as soon as possible.

As a temporary measure, monitor logs for suspicious activity involving the /stockreports/spendings endpoint and consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the "product-group" parameter.

Useful 0 Not Useful 0

Compliance Impact

The SQL injection vulnerability in Grocy v4.6.0 allows attackers to access sensitive database information by injecting arbitrary SQL commands. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive information.

Specifically, if the compromised database contains personal or health-related data, the vulnerability could result in unauthorized disclosure or modification of such data, thereby breaching compliance requirements for confidentiality, integrity, and security.

Useful 0 Not Useful 0