CVE-2026-7412
Published: 05 May 2026
Summary
CVE-2026-7412 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of input URIs in the Operation Delegation feature to prevent SSRF by blocking arbitrary destination manipulation.
Enforces information flow control policies that restrict the BaSyx server from issuing HTTP POST requests to unauthorized internal or external targets, directly mitigating SSRF pivoting.
Monitors and controls communications at system boundaries to block unauthorized outbound HTTP requests forced by SSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing BaSyx server SDK directly enables T1190 (Exploit Public-Facing Application) with no auth required; explicit mention of forcing requests to IMDS enables T1552.005 (Cloud Instance Metadata API) for credential theft or internal pivoting.
NVD Description
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind…
more
HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
Deeper analysisAI
CVE-2026-7412 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Eclipse BaSyx Java Server SDK in versions prior to 2.0.0-milestone-10. The flaw resides in the Operation Delegation feature, which fails to properly validate the destination URI of delegated requests. This design issue enables an unauthenticated remote attacker to manipulate the server into issuing HTTP POST requests to arbitrary targets. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for scope change with high confidentiality impact.
An unauthenticated attacker with network access to the BaSyx server can exploit this vulnerability by crafting malicious delegated requests, forcing the server to perform blind HTTP POST operations against internal or external destinations. Successful exploitation allows bypassing network segmentation, enabling pivoting into isolated IT/OT infrastructure or targeting sensitive cloud metadata services such as Instance Metadata Services (IMDS). No user interaction is required, and the attack leverages the server's trusted position to exfiltrate data or interact with otherwise unreachable systems.
Mitigation details are outlined in Eclipse security advisories available at https://gitlab.eclipse.org/security/cve-assignment/-/issues/103 and https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Affected users should upgrade to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-10 or later, where the validation flaw has been addressed.
Details
- CWE(s)