gRPC Handler Vulnerability in Eclipse KUKSA Databroker
CVE-2026-13699

4.3MEDIUM

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-13699?

In Eclipse KUKSA Databroker version 0.6.1, a vulnerability exists in the gRPC handler that fails to properly validate the optional data_point field in the PublishValueRequest. This situation arises when a valid signal_id is provided without including the data_point, resulting in an unprotected call to unwrap() on request.data_point. Such a condition leads to a panic in the Tokio worker thread, although requests with unauthenticated or invalid tokens are suitably blocked from exploiting this flaw. While the panic cancels the specific gRPC call, it does not affect the overall availability of the Databroker process, allowing it to handle subsequent requests.

Affected Version(s)

Eclipse KUKSA - Databroker 0.6.1

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lplum
.