PatchSiren cyber security CVE debrief
CVE-2026-13699 Eclipse Foundation CVE debrief
CVE-2026-13699 is a vulnerability in the Eclipse KUKSA Databroker version 0.6.1. The `kuksa.val.v2.VAL/PublishValue` gRPC handler fails to validate the existence of the optional `data_point` field in `PublishValueRequest`. When a request contains a valid `signal_id` but omits `data_point`, the server directly calls `unwrap()` on `request.data_point`, triggering a panic in the Tokio worker thread. This issue can be triggered by any client holding a valid JWT token. Unauthenticated or invalid-token requests are rejected and do not reach the vulnerable path. The panic causes the individual gRPC call to be cancelled but does not terminate the Databroker process, which remains available for subsequent requests.
- Vendor
- Eclipse Foundation
- Product
- Eclipse KUKSA - Databroker
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of Eclipse KUKSA Databroker version 0.6.1 who have clients with valid JWT tokens should be aware of this vulnerability. Although the Databroker process remains available after the panic, the individual gRPC call is cancelled, which may impact the reliability of the system.
Technical summary
The `kuksa.val.v2.VAL/PublishValue` gRPC handler in Eclipse KUKSA Databroker version 0.6.1 does not validate the existence of the optional `data_point` field in `PublishValueRequest`. A client with a valid JWT token can trigger a panic by sending a request with a valid `signal_id` but omitting `data_point`. The panic occurs because the server calls `unwrap()` on `request.data_point` without checking if it exists.
Defensive priority
Medium
Recommended defensive actions
- Validate the existence of optional fields in gRPC requests
- Implement checks for valid JWT tokens
- Monitor system logs for Tokio worker thread panics
- Consider upgrading to a patched version of Eclipse KUKSA Databroker
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-14T09:16:40.050Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. Users should check for any additional information from the vendor or other reliable sources.
Official resources
-
CVE-2026-13699 CVE record
CVE.org
-
CVE-2026-13699 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:40.050Z and has not been modified since then.