{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6272", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2026-04-14T12:57:50.655Z", "datePublished": "2026-04-24T08:28:17.690Z", "dateUpdated": "2026-04-24T11:29:18.312Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-04-24T08:28:17.690Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "affected": [{"vendor": "Eclipse Foundation", "product": "Eclipse KUKSA - Databroker", "repo": "https://github.com/eclipse-kuksa/kuksa-databroker", "versions": [{"status": "affected", "version": "0.5.0", "lessThanOrEqual": "0.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.\n\n1. Obtain any valid token with only read scope.\n2. Connect to the normal production gRPC API (kuksa.val.v2).\n3. Open OpenProviderStream.\n4. Send ProvideSignalRequest for a target signal ID.\n5. Wait for the broker to forward GetProviderValueRequest.\n6. Reply with attacker-controlled GetProviderValueResponse.\n7. Other clients performing GetValue / GetValues for that signal receive forged data.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.<br><br>1. Obtain any valid token with only read scope.<br>2. Connect to the normal production gRPC API (kuksa.val.v2).<br>3. Open OpenProviderStream.<br>4. Send ProvideSignalRequest for a target signal ID.<br>5. Wait for the broker to forward GetProviderValueRequest.<br>6. Reply with attacker-controlled GetProviderValueResponse.<br>7. Other clients performing GetValue / GetValues for that signal receive forged data."}]}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Ciwan \u00d6ztopal", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T11:29:08.631521Z", "id": "CVE-2026-6272", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T11:29:18.312Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6272", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T11:29:08.631521Z"}}}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T11:21:55.691Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ciwan \u00d6ztopal"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse-kuksa/kuksa-databroker", "vendor": "Eclipse Foundation", "product": "Eclipse KUKSA - Databroker", "versions": [{"status": "affected", "version": "0.5.0", "versionType": "semver", "lessThanOrEqual": "0.6.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.\n\n1. Obtain any valid token with only read scope.\n2. Connect to the normal production gRPC API (kuksa.val.v2).\n3. Open OpenProviderStream.\n4. Send ProvideSignalRequest for a target signal ID.\n5. Wait for the broker to forward GetProviderValueRequest.\n6. Reply with attacker-controlled GetProviderValueResponse.\n7. Other clients performing GetValue / GetValues for that signal receive forged data.", "supportingMedia": [{"type": "text/html", "value": "A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.<br><br>1. Obtain any valid token with only read scope.<br>2. Connect to the normal production gRPC API (kuksa.val.v2).<br>3. Open OpenProviderStream.<br>4. Send ProvideSignalRequest for a target signal ID.<br>5. Wait for the broker to forward GetProviderValueRequest.<br>6. Reply with attacker-controlled GetProviderValueResponse.<br>7. Other clients performing GetValue / GetValues for that signal receive forged data.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-04-24T08:28:17.690Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6272", "state": "PUBLISHED", "dateUpdated": "2026-04-24T11:29:18.312Z", "dateReserved": "2026-04-14T12:57:50.655Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2026-04-24T08:28:17.690Z", "assignerShortName": "eclipse"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.\n\n1. Obtain any valid token with only read scope.\n2. Connect to the normal production gRPC API (kuksa.val.v2).\n3. Open OpenProviderStream.\n4. Send ProvideSignalRequest for a target signal ID.\n5. Wait for the broker to forward GetProviderValueRequest.\n6. Reply with attacker-controlled GetProviderValueResponse.\n7. Other clients performing GetValue / GetValues for that signal receive forged data."}], "id": "CVE-2026-6272", "lastModified": "2026-04-24T14:39:28.770", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2026-04-24T09:16:04.227", "references": [{"source": "emo@eclipse.org", "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.5.0,0.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Eclipse KUKSA - Databroker", "source": "cna", "vendor": "Eclipse Foundation"}, "product": "kuksa", "vendor": "eclipse"}], "analysis": {"en": {"generated_at": "2026-04-28T14:22:40.628844+00:00", "value": {"mitigation_remediation": ["Implement strict access control so that only clients with provider privileges can invoke ProvideSignalRequest on the OpenProviderStream.", "Enforce token scope validation, blocking calls to OpenProviderStream from read\u2011only JWTs.", "Monitor broker logs for unusual provider registrations and alert administrators.", "Apply any vendor patch or update as soon as an official fix is released; in the meantime check Eclipse Foundation advisories for interim mitigations."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data injection via false signal value propagation"}, "threat_synthesis": {"affected_systems": "Eclipse Foundation\u2019s Eclipse KUKSA Databroker, specifically versions using the production kuksa.val.v2 gRPC interface. The vulnerability applies to any deployment that accepts externally signed JWTs with read privileges and allows clients to establish OpenProviderStream connections. Specific version numbers are not listed in the documentation.", "description_and_impact": "The vulnerability allows a client that holds only a read\u2011scope JWT to register itself as a signal provider via the OpenProviderStream API. By sending a ProvideSignalRequest, the client can spoof any target signal ID, receive a GetProviderValueRequest from the broker, and return an attacker\u2011controlled response. The effect is that all other clients calling GetValue or GetValues for that signal receive forged data, leading to data integrity lapses and potentially false sensor readings.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.5, indicating a high severity. The EPSS score is below 1%, indicating a low but non\u2011zero probability of exploitation in the wild, and the issue is not yet listed in CISA\u2019s KEV catalog. The attack vector is remote, using a standard gRPC connection. An attacker only needs a valid JWT with read scope, which they could obtain legitimately or via credential compromise, to abuse the API. Once a malicious provider is registered, any consumer request for the forged signal will be served with attacker\u2011controlled data."}}}}, "created": "2026-04-28T09:18:02.120104+00:00", "title": "Unrestricted Signal Provider registration enables unauthorized data injection in Eclipse KUKSA Databroker", "updated": "2026-04-28T14:30:33.749383+00:00", "vendors": ["eclipse", "eclipse$PRODUCT$kuksa"]}