High severityNVD Advisory· Published Apr 24, 2026· Updated Apr 24, 2026

CVE-2026-6272

Description

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.

Obtain any valid token with only read scope.
Connect to the normal production gRPC API (kuksa.val.v2).
Open OpenProviderStream.
Send ProvideSignalRequest for a target signal ID.
Wait for the broker to forward GetProviderValueRequest.
Reply with attacker-controlled GetProviderValueResponse.
Other clients performing GetValue / GetValues for that signal receive forged data.

Affected products

Eclipse/Kuksa.val.v2inferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.eclipse.org/security/cve-assignment/-/issues/98nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000