CVE-2026-6272

Source
https://cve.org/CVERecord?id=CVE-2026-6272
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6272.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6272
Published
2026-04-24T08:28:17.690Z
Modified
2026-07-08T08:11:45.597818894Z
Severity
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H CVSS Calculator
Summary
[none]
Details

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.

  1. Obtain any valid token with only read scope.
  2. Connect to the normal production gRPC API (kuksa.val.v2).
  3. Open OpenProviderStream.
  4. Send ProvideSignalRequest for a target signal ID.
  5. Wait for the broker to forward GetProviderValueRequest.
  6. Reply with attacker-controlled GetProviderValueResponse.
  7. Other clients performing GetValue / GetValues for that signal receive forged data.
Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6272.json",
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "eclipse"
}
References

Affected packages

Git / github.com/eclipse-kuksa/kuksa-databroker

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-kuksa/kuksa-databroker
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.5.0"
        },
        {
            "last_affected": "0.6.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.5.0
0.6.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6272.json"