Home

Description

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

PUBLISHED Reserved 2026-05-26 | Published 2026-07-14 | Updated 2026-07-14 | Assigner eclipse




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-348: Use of Less Trusted Source

CWE-807: Reliance on Untrusted Inputs in a Security Decision

CWE-345: Insufficient Verification of Data Authenticity

Product status

Default status
unaffected

5.0.0 (semver)
affected

Credits

Adam N'diaye - HON s.r.l - Company of TUV Rheinland Group finder

References

gitlab.eclipse.org/security/cve-assignment/-/work_items/117

cve.org (CVE-2026-9561)

nvd.nist.gov (CVE-2026-9561)

Download JSON