Description
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
Published: 2026-05-05
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the BaSyx Operation Delegation feature, which does not validate the destination URI of delegated requests. An unauthenticated remote attacker can send specially crafted requests that cause the BaSyx server to issue blind HTTP POST requests to arbitrary internal or external URLs. This design flaw enables an attacker to bypass network segmentation, pivot into isolated internal or OT environments, or target cloud metadata services such as IMDS. The impact is a forced outbound transaction that can be leveraged for data exfiltration, lateral movement, or further compromise.

Affected Systems

All instances of the Eclipse BaSyx Java Server SDK with versions older than 2.0.0‑milestone‑10 are affected. No specific build numbers beyond the milestone are listed, so all releases prior to this milestone should be considered vulnerable.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability that is remotely exploitable without authentication. Although the EPSS score is not available, the high CVSS rating and the direct ability to issue arbitrary POST requests suggest a significant risk of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, but the attack vector—remote manipulation of outbound traffic via the Operation Delegation endpoint—is likely to be usable over a network connection to the BaSyx server.

Generated by OpenCVE AI on May 5, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BaSyx Java Server SDK to version 2.0.0‑milestone‑10 or later to apply the URI validation fix.
  • If an upgrade cannot be performed immediately, disable the Operation Delegation feature or block the BaSyx server’s ability to send outbound POST requests to any URL other than explicitly trusted endpoints.
  • Deploy network monitoring or a web application firewall to detect and block suspicious outbound POST traffic originating from the BaSyx server.

Generated by OpenCVE AI on May 5, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Attacker Forces Blind HTTP POST to Arbitrary URLs

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-05-05T14:15:05.877Z

Reserved: 2026-04-29T13:23:24.237Z

Link: CVE-2026-7412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:18.480

Modified: 2026-05-05T19:31:10.400

Link: CVE-2026-7412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:45:06Z

Weaknesses