Path Traversal Vulnerability in Eclipse BaSyx Java Server SDK
CVE-2026-7411

10CRITICAL

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Basyx
Vendor: CVE Published:; 5 May 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-7411?

In certain versions of the Eclipse BaSyx Java Server SDK, a vulnerability exists that allows unauthenticated attackers to exploit inadequate path normalization in the Submodel HTTP API. Attackers can perform a path traversal attack by manipulating the fileName parameter during file uploads. This exploit enables them to bypass storage boundaries, potentially writing arbitrary files to any location within the host filesystem that is accessible by the Java process. Such an attack can result in unauthorized Remote Code Execution (RCE), posing severe risks to system integrity.

Affected Version(s)

Eclipse BaSyx 0 < 2.0.0-milestone-10

References

https://gitlab.eclipse.org/security/vulnerability-reports...

https://gitlab.eclipse.org/security/cve-assignment/-/issu...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Mohamed Lemine Ahmed Jidou (AegisSec)

CVE-2026-7411 Data

JSON