Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.
AnalysisAI
Microsoft Bing contains a server-side request forgery vulnerability that enables unauthenticated remote attackers to manipulate network communications and access sensitive information. An attacker can exploit this flaw without user interaction to retrieve confidential data or cause service disruption. No patch is currently available.
Technical ContextAI
This vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a class of flaws where an application fetches remote resources without properly validating user-supplied URLs or request parameters. In the context of Microsoft Bing, the SSRF likely occurs in backend services that process search queries, URL validation, or content fetching operations. The attacker can manipulate Bing's server-side request handling to make the server issue requests to unintended targets, potentially accessing internal resources, metadata services, or adjacent systems. The network-based attack vector (AV:N) and lack of required privileges (PR:N) or user interaction (UI:N) indicate the vulnerability is exposed directly through Bing's public-facing interfaces without need for authentication or social engineering.
RemediationAI
Apply the security update from Microsoft as documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120. For immediate mitigation prior to patching, restrict outbound network access from Bing services to only authorized external domains and block requests to internal IP ranges (RFC 1918, link-local, and metadata service endpoints) at the network perimeter. Implement URL validation and allowlisting for any user-controlled input that influences server-side requests. Monitor server logs for anomalous outbound connections or requests to internal resources. If Bing is accessed through a web application firewall or reverse proxy, enable SSRF detection rules to block requests to private IP ranges and sensitive metadata endpoints.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13180