πŸ” CVE Alert

CVE-2026-6272

UNKNOWN 0.0
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API (kuksa.val.v2). 3. Open OpenProviderStream. 4. Send ProvideSignalRequest for a target signal ID. 5. Wait for the broker to forward GetProviderValueRequest. 6. Reply with attacker-controlled GetProviderValueResponse. 7. Other clients performing GetValue / GetValues for that signal receive forged data.

CWE CWE-306
Vendor eclipse foundation
Product eclipse kuksa - databroker
Published Apr 24, 2026
Stay Ahead of the Next One

Get instant alerts for eclipse foundation eclipse kuksa - databroker

Be the first to know when new unknown vulnerabilities affecting eclipse foundation eclipse kuksa - databroker are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Eclipse Foundation / Eclipse KUKSA - Databroker
0.5.0 ≀ 0.6.0

References

NVD β†— CVE.org β†— EPSS Data β†—
gitlab.eclipse.org: https://gitlab.eclipse.org/security/cve-assignment/-/issues/98

Credits

Ciwan Γ–ztopal