Log Injection Vulnerability in PIA Authentication Broker by Unauthenticated Attackers
CVE-2026-12616

6.9MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Csi - Pia
Vendor: CVE Published:; 29 June 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-12616?

The PIA Authentication Broker contains a vulnerability where the /v1/upload/sbom endpoint improperly extracts the 'iss' claim from an attacker-supplied JWT without signature verification. This enables unauthenticated attackers to inject malicious log entries that mimic legitimate authentication messages. The vulnerability arises from the log format that renders newlines literally, potentially compromising the integrity of incident response efforts by creating indistinguishable fake auth-success logs. This seriously undermines the effectiveness of the audit trail that the service relies upon for secure operational logging.

Affected Version(s)

Eclipse CSI - PIA 0 <= 0.2.1

References

https://gitlab.eclipse.org/security/cve-assignment/-/work...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 18, 2026

CVE-2026-12616 Data

JSON