CVE-2026-7412

Published: May 5, 2026Modified: May 6, 2026

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: emo@eclipse.org (Secondary)

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://gitlab.eclipse.org/security/cve-assignment/-/issues/103

Source: emo@eclipse.org

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

Source: emo@eclipse.org

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.