Cyber Resilience

CVE-2026-7411

Critical

Published: 05 May 2026

Published
05 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0368 88.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-7411 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7411 is a critical path traversal vulnerability (CWE-22) affecting Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10. The flaw arises from inadequate path normalization in the Submodel HTTP API, which fails to properly validate the fileName parameter during file upload operations. This allows attackers to bypass intended storage boundaries and write arbitrary files to locations on the host filesystem accessible by the Java process.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By crafting a malicious fileName parameter in a file upload request, the attacker can achieve remote code execution (RCE) and full system compromise, as indicated by the CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Eclipse security advisories provide further details on mitigation, available at https://gitlab.eclipse.org/security/cve-assignment/-/issues/102 and https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Upgrading to version 2.0.0-milestone-10 or later addresses the inadequate path normalization issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload…

more

operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in unauthenticated HTTP file upload API directly enables T1190 (public-facing app exploitation) for RCE; facilitates T1105 (arbitrary file ingress) and T1505.003 (web shell deployment via crafted file writes).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5027Shared CWE-22
CVE-2025-41714Shared CWE-22
CVE-2026-36767Shared CWE-22
CVE-2025-2363Shared CWE-22
CVE-2025-2707Shared CWE-22
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2026-27969Shared CWE-22

Affected Assets

BaSyx Java Server SDK
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses inadequate path normalization by requiring validation of the fileName parameter in Submodel HTTP API file uploads to block path traversal sequences.

prevent

Mandates timely flaw remediation through upgrading Eclipse BaSyx Java Server SDK to version 2.0.0-milestone-10 or later, fixing the path traversal vulnerability.

detect

Enables vulnerability scanning to identify path traversal flaws like CVE-2026-7411 in the HTTP API prior to exploitation.

References