CRITICAL🇵🇱 Wersja polska

CVE-2026-7411

CVSS 10.0v3.1pub. 2026-05-05upd. 2026-05-06

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

🤖 AI Analysis
How it works

Insufficient path normalization in the Submodel HTTP API causes the fileName parameter passed during file upload operations to not be properly validated. An attacker can upload a crafted fileName parameter value containing path traversal sequences (e.g., '../../'), which allows bypassing intended file storage boundaries. As a result, the Java process writes files to any location in the file system for which it has permissions. The attack requires no authentication or user interaction.

Impact

An attacker can write arbitrary files anywhere in the file system accessible to the Java process, which may lead to remote code execution (RCE) and complete system compromise.

Mitigation & patch

Eclipse BaSyx Java Server SDK must be updated to version 2.0.0-milestone-10 or later. Details available in the vendor references: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

Who is affected

Eclipse BaSyx Java Server SDK in versions prior to 2.0.0-milestone-10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References