Vulnerability Cve-2026-7412
CVE-2026-7412 is a high-severity vulnerability in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10. The flaw lies in the Operation Delegation feature, which fails to validate destination URIs for delegated requests. This allows unauthenticated remote attackers to trigger blind HTTP POST requests, potentially accessing internal networks or cloud metadata services.
- ▪CVE-2026-7412 is classified as a Server-Side Request Forgery (SSRF) vulnerability (CWE-918).
- ▪It affects Eclipse BaSyx Java Server SDK versions before 2.0.0-milestone-10.
- ▪The vulnerability has a CVSS score of 8.6 (High) due to its network-based attack vector and high confidentiality impact.
- ▪An attacker can exploit the flaw to bypass network segmentation and target internal IT/OT or cloud metadata services.
- ▪Mohamed Lemine Ahmed Jidou from AegisSec is credited with discovering the vulnerability.
Opening excerpt (first ~120 words) tap to expand
Action not permitted Modal body text goes here. Close Modal Title Modal Body Source (Optional) Cancel Confirm CVE-2026-7412 (GCVE-0-2026-7412) Vulnerability from cvelistv5 – Published: 2026-05-05 14:15 – Updated: 2026-05-06 15:25 VLAI? EPSS SummaryIn Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Gcve.
Discussion
0 commentsMore from Gcve
