VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50890

CVE-2026-50890

Description

grocy 4.6.0's stock spending report endpoint is vulnerable to authenticated SQL injection via the product-group parameter, allowing sensitive database access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

grocy 4.6.0's stock spending report endpoint is vulnerable to authenticated SQL injection via the product-group parameter, allowing sensitive database access.

Vulnerability

A SQL injection vulnerability exists in Bernd Bestel grocy v4.6.0 within the stock spending report endpoint at /stockreports/spendings. The product-group query parameter is concatenated directly into the SQL WHERE clause when group-by=product is specified and the parameter value is neither all nor ungrouped [1]. No validation or parameterized binding is used, allowing arbitrary SQL to be injected. The database backend is SQLite.

Exploitation

An attacker must have a valid authenticated session to grocy v4.6.0 [1]. The attack is performed by sending a crafted product-group value in a request to /stockreports/spendings?group-by=product that terminates the intended SQL expression and appends additional SQL statements, such as sqlite_version() or queries against pragma_database_list [1]. The attacker observes the report output or error messages to confirm successful injection. No user interaction beyond the attacker's own actions is required.

Impact

Successful exploitation results in authenticated SQL injection, allowing the attacker to read or alter data accessible to the application's SQLite connection, such as user credentials, product data, or configuration [1]. The vulnerability does not directly lead to remote code execution in the tested configuration, as the custom include code execution path was not confirmed due to file-write limitations [1]. The attacker gains access to sensitive database information, potentially compromising confidentiality and integrity of the application.

Mitigation

Bernd Bestel grocy v4.6.0 is the confirmed affected version [1]. As of the publication date (2026-06-15) [CVE header], no official patch or fixed version has been released in the available references. Users should monitor the grocy project for updates and consider input sanitization or parameterized queries as a workaround until a fix is applied [1].

References
  1. Reference for CVE-2026-50890

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation and lack of parameterized query binding in StockReportsController::Spendings allows SQL injection via the product-group parameter."

Attack vector

An authenticated attacker sends a crafted HTTP request to `/stockreports/spendings?group-by=product` with a malicious `product-group` parameter that terminates the existing SQL expression and injects arbitrary SQLite statements. Because the value is concatenated unsanitized into the WHERE clause, the injected SQL is executed against the application's SQLite database. The attacker must have a valid login session but no special privileges beyond that. [ref_id=1]

Affected code

The vulnerability resides in `StockReportsController::Spendings` at `/stockreports/spendings`. When `group-by=product` is used and the `product-group` parameter is neither `all` nor `ungrouped`, the controller concatenates the user-supplied value directly into the SQL WHERE clause instead of validating it or using a parameterized query. The crafted SQL is then executed via `Grocy\Services\DatabaseService::ExecuteDbQuery()`. [ref_id=1]

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] states that the controller appends the `product-group` value directly into the SQL WHERE clause without validation or parameter binding. The fix would require either validating the input against a whitelist of valid product group identifiers or using a parameterized query to safely pass the value to the database engine.

Preconditions

  • authAttacker must have a valid authenticated session on grocy 4.6.0
  • inputThe request must use group-by=product and a product-group value that is not 'all' or 'ungrouped'

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.