CVE-2026-7412

CVE-2026-7412 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Eclipse BaSyx Java Server SDK in versions prior to 2.0.0-milestone-10. The flaw resides in the Operation Delegation feature, which fails to properly validate the destination URI of delegated requests. This design issue enables an unauthenticated remote attacker to manipulate the server into issuing HTTP POST requests to arbitrary targets. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for scope change with high confidentiality impact.

An unauthenticated attacker with network access to the BaSyx server can exploit this vulnerability by crafting malicious delegated requests, forcing the server to perform blind HTTP POST operations against internal or external destinations. Successful exploitation allows bypassing network segmentation, enabling pivoting into isolated IT/OT infrastructure or targeting sensitive cloud metadata services such as Instance Metadata Services (IMDS). No user interaction is required, and the attack leverages the server's trusted position to exfiltrate data or interact with otherwise unreachable systems.

Mitigation details are outlined in Eclipse security advisories available at https://gitlab.eclipse.org/security/cve-assignment/-/issues/103 and https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Affected users should upgrade to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-10 or later, where the validation flaw has been addressed.