PT-2026-57997 · Eclipse Foundation · Eclipse Kura

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-9561

CVSS v4.0

8.8

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Eclipse Kura versions prior to 5.6.2
Description Audit log entries trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header when initializing audit context. Additionally, org.eclipse.kura.jetty.customizer installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, which causes HttpServletRequest.getRemoteAddr() to reflect the value provided in the attacker-controlled header. An unauthenticated remote attacker can spoof the logged IP address to bypass IP-based brute-force protections or inject a victim's IP address to cause a denial of service by triggering a ban on that address.
Recommendations Update to version 5.6.2 or later.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9561

Affected Products

Eclipse Kura