Skip to main content

Eclipse CSI PIA CVE-2026-12616

| EUVDEUVD-2026-40094 MEDIUM
Improper Output Neutralization for Logs (CWE-117)
2026-06-29 eclipse
6.9
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network endpoint accepts unauthenticated, unverified JWTs; impact is solely log-record integrity (I:L), with no confidentiality or availability consequence and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:30 vuln.today

DescriptionCVE.org

The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format ("%(asctime)s - %(name)s - %(levelname)s - %(message)s") renders newlines literally, an unauthenticated attacker can forge log records that are byte-for-byte indistinguishable from PIA's genuine "Successfully authenticated project" message. PIA is an authentication broker whose logs are explicitly relied upon for incident response (DESIGN.md §5.4 lists "Token verifications" and "Errors" as events to log), so the ability to plant fake auth-success entries directly undermines the audit trail the service exists to produce.

AnalysisAI

Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated POST to /v1/upload/sbom
Delivery
Supply JWT with newline-injected iss claim
Exploit
Signature verification skipped, raw iss extracted
Execution
Newline rendered literally by Python log formatter
Persist
Forged auth-success record written to audit log
Impact
Incident responders misled by synthetic evidence

Vulnerability AssessmentAI

Exploitation The /v1/upload/sbom endpoint must be network-accessible, which is consistent with its function as an unauthenticated SBOM ingestion API (CVSS PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N) accurately reflects a trivially exploitable, unauthenticated network attack with no special prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a POST request to /v1/upload/sbom with a crafted JWT whose iss claim contains a newline character followed by a forged log line matching PIA's 'Successfully authenticated project' template, using a legitimate-looking project identifier. Because signature verification is skipped before logging, PIA writes the injected line verbatim, creating a fake audit record in the incident-response log. …
Remediation No vendor-released patch has been identified at time of analysis; the reference points to an open Eclipse GitLab security work item (https://gitlab.eclipse.org/security/cve-assignment/-/work_items/145) with no associated tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy