CVE-2026-9561 in Kurainfo

Summary

by MITRE • 07/14/2026

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability exists in Eclipse Kura versions prior to 5.6.2 where the system blindly trusts client-supplied X-Forwarded-For HTTP headers as the definitive source for determining client IP addresses in audit logging. The flaw affects both the web console and REST API components, which utilize this header as their primary means of establishing audit context. The underlying issue stems from the unconditional installation of Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors through the org.eclipse.kura.jetty.customizer component, causing HttpServletRequest.getRemoteAddr() to return attacker-controlled values rather than the actual client IP address. This represents a classic case of insecure input validation and trust model manipulation that directly violates security principles outlined in CWE-284 Access Control and CWE-352 Cross-Site Request Forgery. The vulnerability enables attackers to completely subvert IP-based security controls that organizations rely upon for protection against brute-force attacks and denial-of-service scenarios.

The operational impact of this vulnerability is significant and multifaceted, creating opportunities for both stealthy attack execution and malicious disruption. An unauthenticated remote attacker can manipulate audit logs by spoofing their IP address to non-routable values such as 127.0.0.1 or private network addresses, effectively bypassing security mechanisms like fail2ban that depend on accurate IP tracking for rate limiting and blocking. This allows brute-force attacks to proceed undetected while the system logs false IP addresses, creating misleading audit trails that obscure actual attack vectors. Additionally, attackers can perform malicious denial-of-service by injecting victim IP addresses into the X-Forwarded-For header, causing legitimate users to be banned from accessing the system through automated security mechanisms designed to protect against abuse.

Organizations should immediately upgrade to Eclipse Kura 5.6.2 or later versions that address this vulnerability through proper input validation and secure IP address determination processes. The mitigation strategy must include implementing proper header validation mechanisms that either ignore client-supplied forwarded headers entirely or validate them against known trusted proxies before accepting their values. Security teams should also review their existing audit log configurations to identify any potential exploitation of similar vulnerabilities across other components in their infrastructure. According to ATT&CK framework technique T1562.007, this vulnerability maps to the "Impair Command History" sub-technique where attackers manipulate system logs to hide their activities and bypass security controls. Organizations should implement robust network segmentation and proxy configuration management to prevent unauthorized modification of forwarded headers, while also establishing proper monitoring for anomalous IP address patterns in audit logs that could indicate header manipulation attempts.

Responsible

Eclipse

Reservation

05/26/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!