PT-2026-37080 · Eclipse Foundation · Eclipse Basyx Java Server Sdk

Mohamed Lemine Ahmed Jidou

Published

2026-05-05

Updated

2026-05-12

CVE-2026-7412

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10

Description The Operation Delegation feature fails to validate the destination URI of delegated requests. This design flaw allows an unauthenticated remote attacker to force the server to execute blind HTTP POST requests to arbitrary internal or external targets. Consequently, an attacker can bypass network segmentation to pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Recommendations Update to version 2.0.0-milestone-10 or later.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-7412

GHSA-GX3V-WXFJ-8H24

Affected Products

Eclipse Basyx Java Server Sdk

PT-2026-37080 · Eclipse Foundation · Eclipse Basyx Java Server Sdk

CVE-2026-7412

Weakness Enumeration

Related Identifiers

Affected Products

References · 10