Eclipse BaSyx RCE: Critical Path Traversal in Server SDK
The National Vulnerability Database has disclosed a critical path traversal vulnerability, CVE-2026-7411, in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10. This flaw resides in the Submodel HTTP API’s inadequate path normalization, allowing an unauthenticated remote attacker to bypass storage boundaries.
Attackers can exploit this by crafting a malicious fileName parameter during a file upload operation. This enables writing arbitrary files to any location on the host filesystem accessible by the Java process. The National Vulnerability Database rates this with a CVSS score of 10.0 (CRITICAL), indicating a severe risk of Remote Code Execution (RCE) and complete system compromise.
This is a full system compromise waiting to happen. For any organization running these versions, this isn’t just a data breach risk; it’s an attacker gaining full control. The unauthenticated nature of the vulnerability means exposure is immediate and broad. Defenders need to prioritize patching this immediately, as the attacker’s calculus here is straightforward: get a foothold, then own the box.
What This Means For You
- If your organization uses Eclipse BaSyx Java Server SDK, immediately identify all instances running versions prior to 2.0.0-milestone-10. Prioritize patching or upgrading to a secure version to mitigate the critical risk of unauthenticated remote code execution and full system compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7411 - Eclipse BaSyx Path Traversal File Upload
title: CVE-2026-7411 - Eclipse BaSyx Path Traversal File Upload
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7411 by identifying POST requests to the Eclipse BaSyx Submodel HTTP API containing a 'fileName=' parameter with directory traversal characters ('../'). This indicates an attempt to write arbitrary files to the filesystem, potentially leading to RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7411/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/submodels/'
cs-method|exact: "POST"
cs-uri-query|contains:
- 'fileName='
selection_base:
cs-uri-query|contains:
- '../'
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7411 | Path Traversal | Eclipse BaSyx Java Server SDK < 2.0.0-milestone-10 |
| CVE-2026-7411 | Path Traversal | Submodel HTTP API |
| CVE-2026-7411 | Path Traversal | Inadequate path normalization via fileName parameter during file upload |
| CVE-2026-7411 | RCE | Eclipse BaSyx Java Server SDK < 2.0.0-milestone-10 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-43002 — OpenStack Horizon 25.6 And Vulnerability
CVE-2026-43002 — An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before...
CVE-2026-7844 — Chatchat-Space Langchain-Chatchat Vulnerability
CVE-2026-7844 — A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component...
Eclipse BaSyx Server SDK Vulnerability Bypasses Network Segmentation
CVE-2026-7412 — In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests....