Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-13699— Databroker 0.6.1 PublishValue missing data_point panic

CVSS 4.3 · Medium EPSS 0.24% · P15

Affected Version Matrix 1

VendorProductVersion RangeStatus
Eclipse FoundationEclipse KUKSA - Databroker0.6.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-13699

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Databroker 0.6.1 PublishValue missing data_point panic
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional data_point field in PublishValueRequest. When a request contains a valid signal_id but omits data_point, the server directly calls unwrap() on request.data_point, triggering a panic in the Tokio worker thread. This issue can be triggered by any client holding a valid JWT token. Unauthenticated or invalid-token requests are rejected and do not reach the vulnerable path. The panic causes the individual gRPC call to be cancelled but does not terminate the Databroker process, which remains available for subsequent requests.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Eclipse kuksa 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Eclipse kuksa是美国Eclipse基金会的一个车辆数据服务平台。 Eclipse kuksa 0.6.1版本存在输入验证错误漏洞,该漏洞源于kuksa.val.v2.VAL/PublishValue gRPC处理程序未能验证PublishValueRequest中可选data_point字段的存在,当持有有效JWT令牌的客户端发送包含有效signal_id但缺少data_point的请求时,服务器直接调用unwrap(),导致Tokio工作线程崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Eclipse FoundationEclipse KUKSA - Databroker 0.6.1 -

II. Public POCs for CVE-2026-13699

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-13699

登录查看更多情报信息。

Patches & Fixes for CVE-2026-13699 (1)

Same Patch Batch · Eclipse Foundation · 2026-07-14 · 10 CVEs total

CVE-2026-578989.0 CRITICALEclipse BaSyx Java Server SDK 路径遍历漏洞
CVE-2024-77087.5 HIGHEclipse Jetty 资源管理错误漏洞
CVE-2026-67905.3 MEDIUMEclipse Jetty 输入验证错误漏洞
CVE-2026-83845.3 MEDIUMEclipse jetty 授权问题漏洞
CVE-2026-15076Eclipse Vert.x 输入验证错误漏洞
CVE-2026-15075Eclipse vert.x 信息泄露漏洞
CVE-2026-9561Eclipse kura 输入验证错误漏洞
CVE-2026-10051Eclipse Jetty 信息泄露漏洞
CVE-2026-12606Eclipse Glassfish 输入验证错误漏洞

IV. Related Vulnerabilities

V. Comments for CVE-2026-13699

No comments yet


Leave a comment