PatchSiren cyber security CVE debrief
CVE-2026-57898 Eclipse Foundation CVE debrief
A critical vulnerability CVE-2026-57898 was found in Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12. This issue allows an unauthenticated attacker to write arbitrary files through the AAS thumbnail API when using the MongoDB backend. The vulnerability is caused by the lack of normalization and restriction of file paths, enabling attackers to upload files to any location on the server filesystem where the Java process has write permissions, potentially leading to remote code execution.
- Vendor
- Eclipse Foundation
- Product
- Eclipse BaSyx - Java Server SDK
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, especially those using the MongoDB backend, should apply the patch in version 2.0.0-milestone-13 to prevent potential remote code execution.
Technical summary
The Eclipse BaSyx Java Server SDK is vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API in versions 2.0.0-milestone-05 to 2.0.0-milestone-12 when using the MongoDB backend. The issue arises from the lack of path normalization and restriction, allowing an attacker to supply a client-controlled fileName request parameter. This parameter is used both as a repository key and as a local filesystem path during thumbnail retrieval. An attacker can exploit this by uploading thumbnail content with an absolute or traversal-style filename and then triggering thumbnail retrieval to write the uploaded content to a chosen path on the server filesystem. This could lead to writing files anywhere the Java process has permission to write and may result in remote code execution.
Defensive priority
High
Recommended defensive actions
- Apply the patch in Eclipse BaSyx Java Server SDK version 2.0.0-milestone-13
- Restrict write permissions for the Java process
- Monitor for suspicious file writes and thumbnail uploads
- Implement additional security measures for file handling and repository interactions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-14T09:16:41.173Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the official CVE record and vendor advisory for the most current information. The issue is fixed in Eclipse BaSyx Java Server SDK 2.0.0-milestone-13. Users should apply the patch and monitor for suspicious activity.
Official resources
-
CVE-2026-57898 CVE record
CVE.org
-
CVE-2026-57898 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.173Z and has not been modified since then.