Unauthorized Signal Manipulation in gRPC API by Vulnerable Vendor
CVE-2026-6272

8.5HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Kuksa - Databroker
Vendor: CVE Published:; 24 April 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-6272?

The kuksa.val.v2 gRPC API contains a vulnerability that allows a client possessing only a read JWT scope to self-register as a signal provider. By crafting a ProvideSignalRequest using a valid token, the attacker can exploit the OpenProviderStream API. This enables them to supply manipulated responses for GetProviderValueRequest from a broker, impacting data integrity for clients retrieving GetValue or GetValues for that signal. The risk is significant, as compromised signal data can mislead users and applications relying on accurate information.

Affected Version(s)

Eclipse KUKSA - Databroker 0.5.0 <= 0.6.0

References

https://gitlab.eclipse.org/security/cve-assignment/-/issu...

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Ciwan Öztopal

CVE-2026-6272 Data

JSON