CVE-2026-7412
published 2026-05-05CVE-2026-7412: In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated…
PriorityP263high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.52%
40.0th percentile
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse_foundation | eclipse_basyx | < 2.0.0-milestone-10 | 2.0.0-milestone-10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Eclipse BaSyx up to 2.0.0-milestone-9 Operation Delegation Feature server-side request forgery (Issue 103)
vuldb·2026-05-05·CVSS 8.6
CVE-2026-7412 [HIGH] Eclipse BaSyx up to 2.0.0-milestone-9 Operation Delegation Feature server-side request forgery (Issue 103)
A vulnerability described as critical has been identified in Eclipse BaSyx up to 2.0.0-milestone-9. Impacted is an unknown function of the component Operation Delegation Feature. The manipulation results in server-side request forgery.
This vulnerability is reported as CVE-2026-7412. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery
ghsa·2026-05-05
CVE-2026-7412 [HIGH] CWE-918 Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery
Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
GHSA
GHSA-gx3v-wxfj-8h24: In Eclipse BaSyx Java Server SDK versions prior to 2
ghsa_unreviewed·2026-05-05
CVE-2026-7412 [HIGH] CWE-918 GHSA-gx3v-wxfj-8h24: In Eclipse BaSyx Java Server SDK versions prior to 2
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
No detection rules found.
No public exploits indexed.
2026-05-05
Published