Skip to main content

Microsoft CVE-2026-26120

| EUVDEUVD-2026-13180 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-19 secure@microsoft.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 21:30 euvd
EUVD-2026-13180
Analysis Generated
Mar 19, 2026 - 21:30 vuln.today
CVE Published
Mar 19, 2026 - 21:17 nvd
MEDIUM 6.5

DescriptionCVE.org

Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.

AnalysisAI

Microsoft Bing contains a server-side request forgery vulnerability that enables unauthenticated remote attackers to manipulate network communications and access sensitive information. An attacker can exploit this flaw without user interaction to retrieve confidential data or cause service disruption. No patch is currently available.

Technical ContextAI

This vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a class of flaws where an application fetches remote resources without properly validating user-supplied URLs or request parameters. In the context of Microsoft Bing, the SSRF likely occurs in backend services that process search queries, URL validation, or content fetching operations. The attacker can manipulate Bing's server-side request handling to make the server issue requests to unintended targets, potentially accessing internal resources, metadata services, or adjacent systems. The network-based attack vector (AV:N) and lack of required privileges (PR:N) or user interaction (UI:N) indicate the vulnerability is exposed directly through Bing's public-facing interfaces without need for authentication or social engineering.

RemediationAI

Apply the security update from Microsoft as documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120. For immediate mitigation prior to patching, restrict outbound network access from Bing services to only authorized external domains and block requests to internal IP ranges (RFC 1918, link-local, and metadata service endpoints) at the network perimeter. Implement URL validation and allowlisting for any user-controlled input that influences server-side requests. Monitor server logs for anomalous outbound connections or requests to internal resources. If Bing is accessed through a web application firewall or reverse proxy, enable SSRF detection rules to block requests to private IP ranges and sensitive metadata endpoints.

Share

CVE-2026-26120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy