IP Spoofing Vulnerability in Eclipse Kura Web Console and REST API
CVE-2026-9561
8.8HIGH
What is CVE-2026-9561?
Eclipse Kura, specifically versions before 5.6.2, contains a vulnerability that improperly trusts the X-Forwarded-For HTTP header, allowing an attacker to manipulate audit log entries by spoofing their IP address. This weakness is present in the Web Console and REST API components, where the system regards this header as a legitimate source for the client's IP address. By exploiting this flaw, a remote, unauthenticated attacker can circumvent IP-based security measures, potentially facilitating undetected brute-force attacks or causing denial-of-service conditions against other third parties.
Affected Version(s)
Eclipse Kura 5.0.0 <= 5.6.1
References
CVSS V4
Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Adam N'diaye - HON s.r.l - Company of TUV Rheinland Group
