CVE-2026-7412

HIGH

Eclipse BaSyx < 2.0.0-milestone-10 - Server-Side Request Forgery

Title source: manual

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

References (2)

Core 2

Core References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

https://gitlab.eclipse.org/security/cve-assignment/-/issues/103

Scores

CVSS v3 8.6

EPSS 0.0052

EPSS Percentile 39.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

Eclipse Foundation/Eclipse BaSyx < 2.0.0-milestone-10

org.eclipse.basyx/basyx.sdk 0 - 2.0.0-milestone-10Maven

Published May 05, 2026

Tracked Since May 05, 2026