๐Ÿ” CVE Alert

CVE-2026-9561

UNKNOWN 0.0
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections โ€” such as fail2ban โ€” by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

CWE CWE-348 CWE-807 CWE-345
Vendor eclipse foundation
Product eclipse kura
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for eclipse foundation eclipse kura

Be the first to know when new unknown vulnerabilities affecting eclipse foundation eclipse kura are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Eclipse Foundation / Eclipse Kura
5.0.0 โ‰ค 5.6.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
gitlab.eclipse.org: https://gitlab.eclipse.org/security/cve-assignment/-/work_items/117

Credits

Adam N'diaye - HON s.r.l - Company of TUV Rheinland Group