Description
A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.

1. Obtain any valid token with only read scope.
2. Connect to the normal production gRPC API (kuksa.val.v2).
3. Open OpenProviderStream.
4. Send ProvideSignalRequest for a target signal ID.
5. Wait for the broker to forward GetProviderValueRequest.
6. Reply with attacker-controlled GetProviderValueResponse.
7. Other clients performing GetValue / GetValues for that signal receive forged data.
Published: 2026-04-24
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data injection via false signal value propagation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a client that holds only a read‑scope JWT to register itself as a signal provider via the OpenProviderStream API. By sending a ProvideSignalRequest, the client can spoof any target signal ID, receive a GetProviderValueRequest from the broker, and return an attacker‑controlled response. The effect is that all other clients calling GetValue or GetValues for that signal receive forged data, leading to data integrity lapses and potentially false sensor readings.

Affected Systems

Eclipse Foundation’s Eclipse KUKSA Databroker, specifically versions using the production kuksa.val.v2 gRPC interface. The vulnerability applies to any deployment that accepts externally signed JWTs with read privileges and allows clients to establish OpenProviderStream connections. Specific version numbers are not listed in the documentation.

Risk and Exploitability

The flaw carries a CVSS score of 8.5, indicating a high severity. The EPSS score is below 1%, indicating a low but non‑zero probability of exploitation in the wild, and the issue is not yet listed in CISA’s KEV catalog. The attack vector is remote, using a standard gRPC connection. An attacker only needs a valid JWT with read scope, which they could obtain legitimately or via credential compromise, to abuse the API. Once a malicious provider is registered, any consumer request for the forged signal will be served with attacker‑controlled data.

Generated by OpenCVE AI on April 28, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement strict access control so that only clients with provider privileges can invoke ProvideSignalRequest on the OpenProviderStream.
  • Enforce token scope validation, blocking calls to OpenProviderStream from read‑only JWTs.
  • Monitor broker logs for unusual provider registrations and alert administrators.
  • Apply any vendor patch or update as soon as an official fix is released; in the meantime check Eclipse Foundation advisories for interim mitigations.

Generated by OpenCVE AI on April 28, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Signal Provider registration enables unauthorized data injection in Eclipse KUKSA Databroker

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse kuksa
Vendors & Products Eclipse
Eclipse kuksa

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API (kuksa.val.v2). 3. Open OpenProviderStream. 4. Send ProvideSignalRequest for a target signal ID. 5. Wait for the broker to forward GetProviderValueRequest. 6. Reply with attacker-controlled GetProviderValueResponse. 7. Other clients performing GetValue / GetValues for that signal receive forged data.
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H'}

Subscriptions

Eclipse Kuksa
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-04-24T11:29:18.312Z

Reserved: 2026-04-14T12:57:50.655Z

Link: CVE-2026-6272

cve-icon Vulnrichment

Updated: 2026-04-24T11:21:55.691Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-24T09:16:04.227

Modified: 2026-04-24T14:39:28.770

Link: CVE-2026-6272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses