PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57898 Eclipse Foundation CVE debrief

A critical vulnerability CVE-2026-57898 was found in Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12. This issue allows an unauthenticated attacker to write arbitrary files through the AAS thumbnail API when using the MongoDB backend. The vulnerability is caused by the lack of normalization and restriction of file paths, enabling attackers to upload files to any location on the server filesystem where the Java process has write permissions, potentially leading to remote code execution.

Vendor
Eclipse Foundation
Product
Eclipse BaSyx - Java Server SDK
CVSS
CRITICAL 9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Users of Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, especially those using the MongoDB backend, should apply the patch in version 2.0.0-milestone-13 to prevent potential remote code execution.

Technical summary

The Eclipse BaSyx Java Server SDK is vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API in versions 2.0.0-milestone-05 to 2.0.0-milestone-12 when using the MongoDB backend. The issue arises from the lack of path normalization and restriction, allowing an attacker to supply a client-controlled fileName request parameter. This parameter is used both as a repository key and as a local filesystem path during thumbnail retrieval. An attacker can exploit this by uploading thumbnail content with an absolute or traversal-style filename and then triggering thumbnail retrieval to write the uploaded content to a chosen path on the server filesystem. This could lead to writing files anywhere the Java process has permission to write and may result in remote code execution.

Defensive priority

High

Recommended defensive actions

  • Apply the patch in Eclipse BaSyx Java Server SDK version 2.0.0-milestone-13
  • Restrict write permissions for the Java process
  • Monitor for suspicious file writes and thumbnail uploads
  • Implement additional security measures for file handling and repository interactions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-14T09:16:41.173Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the official CVE record and vendor advisory for the most current information. The issue is fixed in Eclipse BaSyx Java Server SDK 2.0.0-milestone-13. Users should apply the patch and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.173Z and has not been modified since then.