CVE-2026-7412_CVE-2026-7412

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

AI Analysis

Unauthenticated remote attacker can exploit a design flaw in the Operation Delegation feature to execute blind HTTP POST requests to arbitrary internal or external targets, allowing bypass of network segmentation and pivoting into isolated internal IT/OT infrastructure or targeting Cloud Metadata services (IMDS).

Basic Information

ID CVE-2026-7412

Source eclipse

Published May 5, 2026 at 14:15

Affected Product

Vendor Eclipse Foundation

Product Eclipse BaSyx

Affected Versions Eclipse Foundation Eclipse BaSyx 0

CWE Classification

CWE-918

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Eclipse Foundation

Product Eclipse BaSyx Java Server SDK

Version prior to 2.0.0-milestone-10

References

{
    "lastseen": "",
    "description": "In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).",
    "published": "2026-05-05T14:15:05.877Z",
    "modified": "2026-05-05T14:15:05.877Z",
    "type": "cve",
    "title": "CVE-2026-7412",
    "source": "eclipse",
    "references": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423\nhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/103",
    "id": "CVE-2026-7412",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "Eclipse Foundation Eclipse BaSyx 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Eclipse BaSyx",
    "version": "0",
    "vendor": "Eclipse Foundation",
    "ai_description": "Unauthenticated remote attacker can exploit a design flaw in the Operation Delegation feature to execute blind HTTP POST requests to arbitrary internal or external targets, allowing bypass of network segmentation and pivoting into isolated internal IT/OT infrastructure or targeting Cloud Metadata services (IMDS).",
    "ai_severity": "High",
    "ai_vendor": "Eclipse Foundation",
    "ai_product": "Eclipse BaSyx Java Server SDK",
    "ai_version": "prior to 2.0.0-milestone-10",
    "ai_score": 8.6
}