CVE-2026-46459 PUBLISHED

Missing Authorization in ICU Scandinavia Boomerang

Assigner: CERT-PL
Reserved: 14.05.2026 Published: 15.07.2026 Updated: 15.07.2026

ICU Scandinavia Boomerang is vulnerable to a missing authentication flaw in its device receiver endpoints. This allows an unauthenticated remote attacker to read full facility configurations and write unauthorized data to the sensor database. This issue has been fixed in version 2.4.18.029

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor ICU Scandinavia
Product Boomerang
Versions Default: unaffected
  • affected from 0 to 2.4.18.029 (excl.)

Credits

  • Marek Figielski (vanilla.pl) finder

References

Problem Types

  • CWE-862 Missing Authorization CWE