High severity8.6NVD Advisory· Published May 5, 2026· Updated May 6, 2026

CVE-2026-7412

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.eclipse.basyx:basyx.sdkMaven	< 2.0.0-milestone-10	2.0.0-milestone-10

Affected products

Eclipse Basyx/Basys Sdk Javainferred
Range: <2.0.0-milestone-10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gx3v-wxfj-8h24ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7412ghsaADVISORY
gitlab.eclipse.org/security/cve-assignment/-/issues/103nvdWEB
gitlab.eclipse.org/security/vulnerability-reports/-/issues/423nvdWEB

News mentions

ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories
The Hacker News · May 7, 2026

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000