CVE-2026-7412

HIGH 8.6

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

CWE	CWE-918
Vendor	eclipse foundation
Product	eclipse basyx
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for eclipse foundation eclipse basyx

Be the first to know when new high vulnerabilities affecting eclipse foundation eclipse basyx are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Eclipse Foundation / Eclipse BaSyx

0 < 2.0.0-milestone-10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gitlab.eclipse.org: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 gitlab.eclipse.org: https://gitlab.eclipse.org/security/cve-assignment/-/issues/103

Credits

Mohamed Lemine Ahmed Jidou (AegisSec)