Skip to main content

Eclipse BaSyx Java Server SDK EUVDEUVD-2026-27384

| CVE-2026-7411 CRITICAL
Path Traversal (CWE-22)
2026-05-05 eclipse GHSA-8gpm-h2mh-36qc
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 05, 2026 - 17:32 EUVD
Analysis Generated
May 05, 2026 - 16:30 vuln.today

DescriptionCVE.org

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

AnalysisAI

Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.

Technical ContextAI

Eclipse BaSyx is a Java-based open-source implementation of the Asset Administration Shell (AAS) framework for Industry 4.0 and Industrial IoT applications. The vulnerability resides in the Submodel HTTP API component responsible for handling file upload operations. The root cause is inadequate path normalization (CWE-22: Improper Limitation of a Pathname to a Restricted Directory), where user-supplied fileName parameters are not properly validated or sanitized before being used in filesystem operations. Attackers can inject directory traversal sequences (e.g., '../../../') to escape the intended upload directory. Because the Java process typically runs with application-level permissions, successful exploitation grants filesystem write access to any location writable by that process, including application directories, configuration files, web roots, or system startup locations depending on deployment architecture.

RemediationAI

Upgrade immediately to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-10 or later, which contains fixes for inadequate path normalization in the Submodel HTTP API per vendor advisory at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Until patching is completed, implement these compensating controls with noted trade-offs: (1) Disable or restrict network access to the Submodel HTTP API file upload endpoints using firewall rules or reverse proxy ACLs limiting access to trusted IP ranges only - reduces exposure but breaks legitimate remote file upload functionality for external clients; (2) Deploy the Java Server SDK in containerized environments with read-only root filesystems and minimal writable volumes, limiting blast radius of arbitrary file writes - adds operational complexity and may require application reconfiguration for legitimate file storage locations; (3) Run the Java process with minimally-privileged dedicated service accounts in isolated filesystem namespaces (chroot/containers) preventing writes to critical system paths - effective mitigation but requires infrastructure changes and testing to ensure application functionality. None of these workarounds fully eliminate the vulnerability; upgrading to the patched version remains the only complete remediation. Organizations unable to upgrade immediately should combine multiple compensating controls and implement enhanced monitoring for unexpected filesystem modifications.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-27384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy