External risk intelligence

Grocy Spending Report SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-50890

A SQL injection vulnerability exists in a product management tool, allowing attackers to access sensitive database information via crafted SQL statements. While this could lead to unauthorized data access, the tool's typical self-hosted or internal deployment means external exposure may vary. It is important to determi

3Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-50890

The vulnerability exists in a web application parameter. While web applications are often exposed to the internet, grocy is frequently deployed as a self-hosted, personal, or internal household management tool, meaning public internet exposure is not a guaranteed or standard deployment pattern for every instance.

PCI scan relevance

PCI Relevance for CVE-2026-50890

Yes

CVE-2026-50890 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A SQL injection vulnerability allows attackers to access sensitive database information. This could lead to an automatic failure in a PCI ASV scan.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a product management tool that could allow unauthorized access to sensitive database information through a carefully crafted command. While this type of vulnerability can pose a significant risk, the specific technology's typical deployment as a self-hosted or internal tool means its exposure to external threats may vary. The primary concern at this stage is to determine if our organization utilizes this specific product and, if so, whether it is accessible externally.

Sensitive data exposure risk exists.
Verify if this product is in use.
Understand potential exposure and impact.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the stock reports feature of the affected product. This request would target the product-group parameter, injecting malicious SQL code to manipulate the database. Successfully triggering this vulnerability could allow an attacker to steal sensitive information from the database.

Requires network access.
Targets the product-group parameter.
Allows access to sensitive database information.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability in the product-group parameter could allow an unauthenticated attacker to execute arbitrary SQL commands. This could lead to unauthorized access to sensitive database information, potentially affecting user data and altering service behavior when the affected component is exposed to the network.

Sensitive database information.
Via crafted SQL injection in product-group.
Unauthorized data access and modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified SQL injection vulnerability in grocy necessitates action from teams responsible for application security and data management. The first step is to determine the scope of grocy's deployment within the organization, assess its exposure, identify the accountable owner, and then prioritize remediation based on potential business impact and data sensitivity.

Application owners should lead remediation efforts.
Verify grocy instance exposure and criticality.
Plan remediation considering data sensitivity.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is grocy and what is it used for?

grocy is a web-based, self-hosted application designed for household and pantry management. Users typically deploy it to track grocery inventory, manage household chores, and monitor spending habits, functioning as a centralized dashboard for personal or organizational resource organization.

What does the CVE-2026-50890 vulnerability mean?

This vulnerability is a SQL Injection (CWE-89) weakness. It occurs when an application improperly filters data provided by a user before including it in a database query. In this case, it allows an attacker to insert malicious SQL commands, potentially tricking the grocy database into revealing sensitive information it was never intended to share.

How can an attacker trigger this vulnerability?

An attacker exploits this by sending a specially crafted web request to the grocy spendings report page. By injecting malicious code into the 'product-group' parameter, they attempt to manipulate the database. Standard, non-malicious usage of the spendings report page does not trigger this flaw; it requires specifically designed input intended to subvert the database query.

Why should I care about my grocy instance exposure?

Halo Surface Signal notes that while this is a network-based vulnerability, grocy is often used as a self-hosted or internal tool. If your instance is only accessible from within your local network, the risk is lower than an instance facing the public internet. Identifying whether your deployment is internet-facing is the most important step in understanding your specific risk level.

What should I do if I run grocy?

First, confirm if you are running version 4.6.0, as this is the affected release. Next, locate the system owner and determine if the instance is reachable from outside your private network. Prioritize restricting access to the application so that only trusted users can reach it while you wait for further guidance or security updates from the project maintainers.

References

gist.github.com/pyuysig/92e631298ec28d3e6967ad1f2038e75d

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.