Back to overview

CVE-2026-9561

HIGH
8.8
CVSS 4.0
Description
Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

Metadata

CVE ID
CVE-2026-9561
State
PUBLISHED
Assigner
eclipse
Reserved
2026-05-26 10:32 UTC
Published
2026-07-14 07:59 UTC
Last updated
2026-07-14 07:59 UTC
Primary CWE
CWE-348
CWE-348: Use of Less Trusted Source
Vendor / Product
Eclipse Foundation / Eclipse Kura
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
Eclipse Foundation Eclipse Kura 5.0.0 ≤ 5.6.1
Weakness (CWE)
CWESourceDescription
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CWE-348 cna CWE-348: Use of Less Trusted Source
CWE-807 cna CWE-807: Reliance on Untrusted Inputs in a Security Decision
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Back to overview