CVE-2026-7412 - Vulnerability-Lookup

Cancel<br>OK

Success

Action not permitted

Modal body text goes here.

Close

Modal Title

Modal Body

Source (Optional)

Cancel<br>Confirm

CVE-2026-7412

(GCVE-0-2026-7412)

Vulnerability from<br>cvelistv5 –<br>Published:<br>2026-05-05 14:15 –<br>Updated:<br>2026-05-06 15:25

About the model.'><br>VLAI?

About the model.'><br>EPSS

Summary<br>In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

About CVSS'><br>Severity ?

8.6 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-918

- Server-Side request forgery (SSRF)

Assigner

eclipse

References

2 references

URL<br>Tags

https://gitlab.eclipse.org/security/vulnerability…

https://gitlab.eclipse.org/security/cve-assignmen…

Impacted products

1 product

Vendor<br>Product<br>Version

Eclipse Foundation<br>Eclipse BaSyx

Affected:<br>0 , (custom)

Create a notification for this product.

Credits

Mohamed Lemine Ahmed Jidou (AegisSec)

Show details on NVD website

JSON

Share

Hacker News

LinkedIn

Mastodon

Pinboard

Reddit

To clipboard

"containers": {<br>"adp": [<br>"metrics": [<br>"other": {<br>"content": {<br>"id": "CVE-2026-7412",<br>"options": [<br>"Exploitation": "poc"<br>},<br>"Automatable": "yes"<br>},<br>"Technical Impact": "partial"<br>],<br>"role": "CISA Coordinator",<br>"timestamp": "2026-05-05T17:02:19.213791Z",<br>"version": "2.0.3"<br>},<br>"type": "ssvc"<br>],<br>"providerMetadata": {<br>"dateUpdated": "2026-05-06T15:25:44.521Z",<br>"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",<br>"shortName": "CISA-ADP"<br>},<br>"references": [<br>"tags": [<br>"exploit"<br>],<br>"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"<br>],<br>"title": "CISA ADP Vulnrichment"<br>],<br>"cna": {<br>"affected": [<br>"defaultStatus": "unaffected",<br>"product": "Eclipse BaSyx",<br>"vendor": "Eclipse Foundation",<br>"versions": [<br>"lessThan": "2.0.0-milestone-10",<br>"status": "affected",<br>"version": "0",<br>"versionType": "custom"<br>],<br>"credits": [<br>"lang": "en",<br>"type": "finder",<br>"value": "Mohamed Lemine Ahmed Jidou (AegisSec)"<br>],<br>"descriptions": [<br>"lang": "en",<br>"supportingMedia": [<br>"base64": false,<br>"type": "text/html",<br>"value": "In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS)."<br>],<br>"value": "In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS)."<br>],<br>"metrics": [<br>"cvssV3_1": {<br>"attackComplexity": "LOW",<br>"attackVector": "NETWORK",<br>"availabilityImpact": "NONE",<br>"baseScore": 8.6,<br>"baseSeverity": "HIGH",<br>"confidentialityImpact": "HIGH",<br>"integrityImpact": "NONE",<br>"privilegesRequired": "NONE",<br>"scope": "CHANGED",<br>"userInteraction": "NONE",<br>"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",<br>"version": "3.1"<br>},<br>"format": "CVSS",<br>"scenarios": [<br>"lang": "en",<br>"value": "GENERAL"<br>],<br>"problemTypes": [<br>"descriptions": [<br>"cweId": "CWE-918",<br>"description": "CWE-918 Server-Side request forgery (SSRF)",<br>"lang": "en",<br>"type": "CWE"<br>],<br>"providerMetadata": {<br>"dateUpdated": "2026-05-05T14:15:05.877Z",<br>"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",<br>"shortName": "eclipse"<br>},<br>"references": [<br>"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"<br>},<br>"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/103"<br>],<br>"source": {<br>"discovery": "UNKNOWN"<br>},<br>"x_generator": {<br>"engine": "Vulnogram 1.0.2"<br>},<br>"cveMetadata": {<br>"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",<br>"assignerShortName": "eclipse",<br>"cveId": "CVE-2026-7412",<br>"datePublished": "2026-05-05T14:15:05.877Z",<br>"dateReserved": "2026-04-29T13:23:24.237Z",<br>"dateUpdated": "2026-05-06T15:25:44.521Z",<br>"state": "PUBLISHED"<br>},<br>"dataType": "CVE_RECORD",<br>"dataVersion": "5.2",<br>"vulnerability-lookup:meta": {<br>"epss": {<br>"cve": "CVE-2026-7412",<br>"date": "2026-05-16",<br>"epss": "0.00034",<br>"percentile": "0.09978"<br>},<br>"nvd":...