Unauthorized Access Vulnerability in AppEngine Fileaccess by SICK
CVE-2026-2331

9.8CRITICAL

Key Information:

Vendor: Sick Ag
Status: Sick Lector85x; Sick Lector83x
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-2331?

The vulnerability in SICK's AppEngine Fileaccess allows attackers to execute unauthenticated read and write operations on sensitive filesystem directories. This exposure, caused by improper access restrictions, permits unauthorized access to critical directories via HTTP, including device parameter files that contain application settings and customer-defined passwords. Furthermore, it allows access to the custom application directory, potentially enabling execution of arbitrary Lua code within the AppEngine’s sandboxed environment. Immediate remediation is advised to protect against unauthorized access and to safeguard sensitive application information.

Affected Version(s)

SICK Lector83x 2.6.0 <= 2.7.0

SICK Lector85x 2.6.0 <= 2.7.0

References

https://www.sick.com/psirt

x_SICK PSIRT Security Advisories

https://www.sick.com/media/docs/9/19/719/special_informat...

x_SICK Operating Guidelines

https://www.cisa.gov/resources-tools/resources/ics-recomm...

x_ICS-CERT recommended practices on Industrial Security

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Feb 11, 2026

CVE-2026-2331 Data

JSON

Sick Ag

What is CVE-2026-2331?

Affected Version(s)

References

CVSS V3.1

Timeline