Skip to main content

Eclipse Kura CVE-2026-9561

| EUVDEUVD-2026-43636 HIGH
Use of Less Trusted Source (CWE-348)
2026-07-14 eclipse GHSA-fqc6-vqq8-5xwp
8.8
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (eclipse) · only source for this CVE.

CVSS VectorVendor: eclipse

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 08:47 vuln.today
CVE Published
Jul 14, 2026 - 07:59 cve.org
HIGH 8.8

DescriptionCVE.org

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections - such as fail2ban - by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

AnalysisAI

Log integrity spoofing in Eclipse Kura before 5.6.2 lets an unauthenticated remote attacker forge the client IP recorded in audit logs by supplying a crafted X-Forwarded-For header, because the Jetty ForwardedRequestCustomizer is installed unconditionally on every connector and getRemoteAddr() reflects the header value. This enables bypass of IP-based brute-force defenses like fail2ban (spoofing a non-routable source to evade bans) or a denial of service against a third party by injecting a victim IP so their address is banned. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: identify all Eclipse Kura deployments and verify which run versions prior to 5.6.2; assess whether instances are exposed to untrusted networks or rely on IP-based brute-force defenses. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy