Vulnerability Description
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://gitlab.eclipse.org/security/cve-assignment/-/issues/103
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423
FAQ
What is CVE-2026-7412?
CVE-2026-7412 is a vulnerability with a CVSS score of 8.6 (HIGH). In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker ...
How severe is CVE-2026-7412?
CVE-2026-7412 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-7412?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.