PT-2026-57997 · Eclipse Foundation · Eclipse Kura
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-9561
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Eclipse Kura versions prior to 5.6.2
Description
Audit log entries trust the client-supplied
X-Forwarded-For HTTP header as the authoritative source of the client IP address. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header when initializing audit context. Additionally, org.eclipse.kura.jetty.customizer installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, which causes HttpServletRequest.getRemoteAddr() to reflect the value provided in the attacker-controlled header. An unauthenticated remote attacker can spoof the logged IP address to bypass IP-based brute-force protections or inject a victim's IP address to cause a denial of service by triggering a ban on that address.Recommendations
Update to version 5.6.2 or later.
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Eclipse Kura