CVE-2026-9561 PUBLISHED

Assigner: eclipse
Reserved: 26.05.2026 Published: 14.07.2026 Updated: 14.07.2026

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor Eclipse Foundation
Product Eclipse Kura
Versions Default: unaffected
  • affected from 5.0.0 to 5.6.1 (incl.)

Credits

  • Adam N'diaye - HON s.r.l - Company of TUV Rheinland Group finder

References

Problem Types

  • CWE-348: Use of Less Trusted Source CWE
  • CWE-807: Reliance on Untrusted Inputs in a Security Decision CWE
  • CWE-345: Insufficient Verification of Data Authenticity CWE