← Advisories

SIP Sustainable Irrigation Platform 5.x (cv) Settings Mass Assignment

High
Advisory ID
ZSL-2026-5997
Release Date
14 July 2026
Affected Version
5.2.16
Tested On
Debian GNU/Linux 11 (bullseye) raspberrypi 6.1.21+ (armv6l/aarch64), Python 3.9.2
Summary

SIP is a free Raspberry Pi based Python program for controlling irrigation systems (sprinkler, drip, hydroponic, etc). It uses web technology to provide an intuitive user interface (UI) in several languages. The UI can be accessed in your favorite browser on desktop, laptop, and mobile devices. SIP has also been used to control pumps, lights, and other Irrigation related equipment.

Description

The application's value-setting interface copies every parameter received in an HTTP request directly into its internal settings object without restricting which settings may be changed. This can be exploited to modify arbitrary configuration values that the endpoint was never intended to expose, including disabling the passphrase or changing the listening port, by supplying the corresponding parameter names. When the optional passphrase is not enabled (factory default) this requires no authentication, and where the passphrase is enabled it defaults to 'opendoor' and the same result is reachable through cross-site request forgery.

Proof of Concept
Disclosure Timeline
24.06.2026Vulnerability discovered.
05.07.2026Contact with the vendor.
06.07.2026Vendor responds asking more details.
06.07.2026Sent details to the vendor.
09.07.2026Vendor will be working to address the issues.
14.07.2026Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
Changelog
14.07.2026Initial release