Skip to main content

Eclipse Kura

1 CVEs product

Monthly

CVE-2026-9561 HIGH This Week

Log integrity spoofing in Eclipse Kura before 5.6.2 lets an unauthenticated remote attacker forge the client IP recorded in audit logs by supplying a crafted X-Forwarded-For header, because the Jetty ForwardedRequestCustomizer is installed unconditionally on every connector and getRemoteAddr() reflects the header value. This enables bypass of IP-based brute-force defenses like fail2ban (spoofing a non-routable source to evade bans) or a denial of service against a third party by injecting a victim IP so their address is banned. No public exploit is identified at time of analysis and it is not on CISA KEV; CVSS 4.0 base score is 8.8.

Denial Of Service Eclipse Kura
NVD VulDB
CVSS 4.0
8.8
EPSS
0.2%
EPSS 0% CVSS 8.8
HIGH This Week

Log integrity spoofing in Eclipse Kura before 5.6.2 lets an unauthenticated remote attacker forge the client IP recorded in audit logs by supplying a crafted X-Forwarded-For header, because the Jetty ForwardedRequestCustomizer is installed unconditionally on every connector and getRemoteAddr() reflects the header value. This enables bypass of IP-based brute-force defenses like fail2ban (spoofing a non-routable source to evade bans) or a denial of service against a third party by injecting a victim IP so their address is banned. No public exploit is identified at time of analysis and it is not on CISA KEV; CVSS 4.0 base score is 8.8.

Denial Of Service Eclipse Kura
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy