CVE-2026-7412

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.6 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N                                    

Vulnerability Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 06, 2026

CWE ID

CWE-918

Source

NVD

External References

https://gitlab.eclipse.org/security/cve-assignment/-/issues/103
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

CVE-2026-7412

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment