IP Spoofing Vulnerability in Eclipse Kura Web Console and REST API
CVE-2026-9561

8.8HIGH

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-9561?

Eclipse Kura, specifically versions before 5.6.2, contains a vulnerability that improperly trusts the X-Forwarded-For HTTP header, allowing an attacker to manipulate audit log entries by spoofing their IP address. This weakness is present in the Web Console and REST API components, where the system regards this header as a legitimate source for the client's IP address. By exploiting this flaw, a remote, unauthenticated attacker can circumvent IP-based security measures, potentially facilitating undetected brute-force attacks or causing denial-of-service conditions against other third parties.

Affected Version(s)

Eclipse Kura 5.0.0 <= 5.6.1

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Adam N'diaye - HON s.r.l - Company of TUV Rheinland Group
.