Skip to main content

Eclipse BaSyx Java SDK CVE-2026-7412

| EUVDEUVD-2026-27386 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-05 eclipse GHSA-gx3v-wxfj-8h24
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 05, 2026 - 17:32 EUVD
Analysis Generated
May 05, 2026 - 16:30 vuln.today

DescriptionCVE.org

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

AnalysisAI

Server-Side Request Forgery (SSRF) in Eclipse BaSyx Java Server SDK prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to force the server to execute blind HTTP POST requests to arbitrary internal or external targets via the unvalidated Operation Delegation feature. Attackers can exploit this to bypass network segmentation, pivot into isolated IT/OT infrastructure, or access Cloud Metadata services (IMDS) - enabling potential credential theft and lateral movement. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but the SSRF attack pattern is well-understood and readily exploitable.

Technical ContextAI

Eclipse BaSyx is an open-source Java SDK implementing the Industry 4.0 Asset Administration Shell (AAS) specification for digital twin and industrial asset management. The vulnerability resides in the Operation Delegation feature, which allows the BaSyx server to forward operation requests to external endpoints. CWE-918 (Server-Side Request Forgery) occurs when the application accepts user-controlled URLs without proper validation of the destination. In this case, the BaSyx server fails to validate the destination URI before executing HTTP POST requests, enabling attackers to abuse the server as a proxy to reach internal network resources, cloud provider metadata endpoints (AWS IMDS at 169.254.169.254, Azure IMDS, GCP metadata), or other internal services that trust requests from the BaSyx server's IP address. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component itself, consistent with SSRF attacks that pivot across network boundaries.

RemediationAI

Upgrade Eclipse BaSyx Java Server SDK to version 2.0.0-milestone-10 or later, which implements URI validation controls for the Operation Delegation feature per Eclipse Foundation advisory at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Review deployment architecture and apply compensating controls during upgrade window: disable the Operation Delegation feature entirely if not required for business operations (check BaSyx configuration files for delegation settings); implement strict egress filtering at network perimeter to block outbound HTTP/HTTPS from BaSyx servers except to explicitly whitelisted destinations; deploy Web Application Firewall (WAF) or reverse proxy with request inspection to detect and block SSRF attempts (monitor for suspicious internal IP addresses, cloud metadata endpoints 169.254.169.254, localhost references, or URL encoding techniques in delegation parameters); isolate BaSyx servers in dedicated network segments with minimal access to internal resources. Note that egress filtering may interfere with legitimate delegation use cases and must be coordinated with operational teams. For cloud deployments, implement IMDSv2 (AWS) which requires token-based authentication and mitigates blind SSRF against metadata services, though this does not address internal network pivoting risks.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-7412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy