Auth bypass in Eclipse Foundation Kuksa - Databroker

CVE-2026-6272

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect t…

Vulnerability class: Broken Authentication

EPSS: 0.000 (4.1th percentile) — read the EPSS interpretation.