Cyber Resilience

CVE-2026-7412

High

Published: 05 May 2026

Published
05 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0052 40.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7412 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-7412 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Eclipse BaSyx Java Server SDK in versions prior to 2.0.0-milestone-10. The flaw resides in the Operation Delegation feature, which fails to properly validate the destination URI of delegated requests. This design issue enables an unauthenticated remote attacker to manipulate the server into issuing HTTP POST requests to arbitrary targets. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for scope change with high confidentiality impact.

An unauthenticated attacker with network access to the BaSyx server can exploit this vulnerability by crafting malicious delegated requests, forcing the server to perform blind HTTP POST operations against internal or external destinations. Successful exploitation allows bypassing network segmentation, enabling pivoting into isolated IT/OT infrastructure or targeting sensitive cloud metadata services such as Instance Metadata Services (IMDS). No user interaction is required, and the attack leverages the server's trusted position to exfiltrate data or interact with otherwise unreachable systems.

Mitigation details are outlined in Eclipse security advisories available at https://gitlab.eclipse.org/security/cve-assignment/-/issues/103 and https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Affected users should upgrade to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-10 or later, where the validation flaw has been addressed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind…

more

HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing BaSyx server SDK directly enables T1190 (Exploit Public-Facing Application) with no auth required; explicit mention of forcing requests to IMDS enables T1552.005 (Cloud Instance Metadata API) for credential theft or internal pivoting.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2025-50180Shared CWE-918
CVE-2026-28423Shared CWE-918
CVE-2026-42595Shared CWE-918
CVE-2025-8085Shared CWE-918
CVE-2026-31017Shared CWE-918

Affected Assets

BaSyx Java Server SDK
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of input URIs in the Operation Delegation feature to prevent SSRF by blocking arbitrary destination manipulation.

prevent

Enforces information flow control policies that restrict the BaSyx server from issuing HTTP POST requests to unauthorized internal or external targets, directly mitigating SSRF pivoting.

prevent

Monitors and controls communications at system boundaries to block unauthorized outbound HTTP requests forced by SSRF exploitation.

References