🔐 CVE Alert

CVE-2026-13699

MEDIUM 4.3

Databroker 0.6.1 PublishValue missing data_point panic

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional data_point field in PublishValueRequest. When a request contains a valid signal_id but omits data_point, the server directly calls unwrap() on request.data_point, triggering a panic in the Tokio worker thread. This issue can be triggered by any client holding a valid JWT token. Unauthenticated or invalid-token requests are rejected and do not reach the vulnerable path. The panic causes the individual gRPC call to be cancelled but does not terminate the Databroker process, which remains available for subsequent requests.

CWE CWE-20
Vendor eclipse foundation
Product eclipse kuksa - databroker
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for eclipse foundation eclipse kuksa - databroker

Be the first to know when new medium vulnerabilities affecting eclipse foundation eclipse kuksa - databroker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Affected Versions

Eclipse Foundation / Eclipse KUKSA - Databroker
0.6.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
gitlab.eclipse.org: https://gitlab.eclipse.org/security/cve-assignment/-/work_items/148

Credits

Lplum