CVE-2026-6272

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API (kuksa.val.v2). 3. Open OpenProviderStream. 4. Send ProvideSignalRequest for a target signal ID. 5. Wait for the broker to forward GetProviderValueRequest. 6. Reply with attacker-controlled GetProviderValueResponse. 7. Other clients performing GetValue / GetValues for that signal receive forged data.

CVSS

No CVSS.

References

Link	Resource
https://gitlab.eclipse.org/security/cve-assignment/-/issues/98
https://gitlab.eclipse.org/security/cve-assignment/-/issues/98

Configurations

No configuration.

History

24 Apr 2026, 12:17

Type	Values Removed	Values Added
References	~~() https://gitlab.eclipse.org/security/cve-assignment/-/issues/98 -~~	() https://gitlab.eclipse.org/security/cve-assignment/-/issues/98 -

24 Apr 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-24 09:16

Updated : 2026-04-24 14:39

NVD link : CVE-2026-6272

Mitre link : CVE-2026-6272

CVE.ORG link : CVE-2026-6272

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-6272", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-24T09:16:04.227", "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98", "source": "emo@eclipse.org"}, {"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/98", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.\n\n1. Obtain any valid token with only read scope.\n2. Connect to the normal production gRPC API (kuksa.val.v2).\n3. Open OpenProviderStream.\n4. Send ProvideSignalRequest for a target signal ID.\n5. Wait for the broker to forward GetProviderValueRequest.\n6. Reply with attacker-controlled GetProviderValueResponse.\n7. Other clients performing GetValue / GetValues for that signal receive forged data."}], "lastModified": "2026-04-24T14:39:28.770", "sourceIdentifier": "emo@eclipse.org"}