PT-2026-34869 · Kuksa · Kuksa
Ciwan Öztopal
·
Published
2026-04-24
·
Updated
2026-04-25
·
CVE-2026-6272
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
Kuksa (affected versions not specified)
Description
A client with a read-only JWT scope can register as a signal provider via the 'kuksa.val.v2' OpenProviderStream API by sending a
ProvideSignalRequest. This allows an attacker to respond to GetProviderValueRequest messages with forged data, which is then delivered to other clients requesting values for that signal.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kuksa