CVE-2026-7412
Awaiting Analysis Awaiting Analysis - Queue

Operation Delegation URI Validation Flaw in Eclipse BaSyx Java Server SDK

Vulnerability report for CVE-2026-7412, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: Eclipse Foundation

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
eclipse basyx_java_server_sdk to 2.0.0-milestone-10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated remote attackers to bypass network segmentation and access isolated internal IT/OT infrastructure or cloud metadata services. This could lead to unauthorized access to sensitive data or critical systems.

Such unauthorized access and potential data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate network security controls to prevent unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Executive Summary

This vulnerability exists in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, specifically in the Operation Delegation feature.

The flaw is that the feature fails to validate the destination URI of delegated requests, which means an unauthenticated remote attacker can exploit this to make the server send blind HTTP POST requests to arbitrary internal or external targets.

This type of vulnerability is known as Server-Side Request Forgery (SSRF), identified as CWE-918.

Impact Analysis

An attacker exploiting this vulnerability can bypass network segmentation and pivot into isolated internal IT/OT infrastructure.

They can also target Cloud Metadata services such as the Instance Metadata Service (IMDS), potentially gaining sensitive information or further access.

Because the attacker can send arbitrary HTTP POST requests from the server, this can lead to unauthorized actions within protected network zones.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unexpected HTTP POST requests originating from the BaSyx Java Server SDK to internal or external targets, especially those that bypass normal network segmentation.

Since the vulnerability allows blind server-side request forgery (SSRF) through the Operation Delegation feature, network administrators can look for unusual outbound HTTP POST traffic from the BaSyx server to internal IP ranges (such as 127.0.0.1, private IP ranges) or cloud metadata service endpoints (e.g., IMDS).

Suggested commands to detect suspicious activity include:

  • Using tcpdump or tshark to capture outbound HTTP POST requests from the BaSyx server: tcpdump -i <interface> 'tcp and dst port 80 or 443 and src host <basyx_server_ip>'
  • Using netstat or ss to check for established connections from the BaSyx server to unusual internal or external IPs: netstat -anp | grep java
  • Reviewing BaSyx server logs for any Operation Delegation requests or unexpected HTTP POST operations.
Mitigation Strategies

Immediate mitigation steps include upgrading the Eclipse BaSyx Java Server SDK to version 2.0.0-milestone-10 or later, where the vulnerability has been addressed.

If upgrading is not immediately possible, implement network-level controls to block unauthorized outbound HTTP POST requests from the BaSyx server to internal or external targets, especially to sensitive internal IP ranges and cloud metadata services.

Additionally, deploy host verification and blocklisting mechanisms for HTTP operation delegation to prevent unauthorized network requests as recommended.

Review and restrict permissions of the BaSyx Java process to limit its ability to make arbitrary network requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart