CVE-2026-7412 HIGH

CVE-2026-7412

Vendor Eclipse Foundation

Product Eclipse BaSyx

Weakness CWE-918 · SSRF

Published May 5, 2026

Last update May 6, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Key dates

02Disclosure timeline

May 5, 2026 CVE published

May 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-7412 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2025-12376 Icon List Block – Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery CVE-2026-7223 BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery CVE-2025-7813 Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery CVE-2026-34526 SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 CVE-2023-46736 Server-Side Request Forgery in espocrm