CVE-2026-7412 | THREATINT

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

PUBLISHED Reserved 2026-04-29 | Published 2026-05-05 | Updated 2026-05-06 | Assigner eclipse

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918 Server-Side request forgery (SSRF)

Product status

Default status

unaffected

Any version before 2.0.0-milestone-10

affected

Credits

Mohamed Lemine Ahmed Jidou (AegisSec) finder

References

gitlab.eclipse.org/...ity/vulnerability-reports/-/issues/423 exploit

gitlab.eclipse.org/...ity/vulnerability-reports/-/issues/423

gitlab.eclipse.org/security/cve-assignment/-/issues/103

cve.org (CVE-2026-7412)

nvd.nist.gov (CVE-2026-7412)

Download JSON