Skip to main content

BuildingAI CVE-2026-7065

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-26 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 27, 2026 - 00:22 NVD
HIGH MEDIUM
CVSS changed
Apr 27, 2026 - 00:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 27, 2026 - 00:00 vuln.today
Analysis Generated
Apr 26, 2026 - 23:30 vuln.today
CVE Published
Apr 26, 2026 - 23:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in BidingCC BuildingAI up to 26.0.1. Impacted is the function uploadRemoteFile of the file packages/core/src/modules/upload/services/file-storage.service.ts of the component Remote Upload API. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery (SSRF) in BuildingAI up to version 26.0.1 allows remote unauthenticated attackers to abuse the Remote Upload API's uploadRemoteFile function by manipulating the url parameter, enabling unauthorized access to internal resources, data exfiltration from cloud metadata services, and potential pivoting to internal network systems. A publicly available exploit exists (GitHub issue #110), but the vendor has not responded to disclosure. CVSS 7.3 with EPSS data unavailable; exploitation requires no authentication and low attack complexity (AV:N/AC:L/PR:N/UI:N), making this a high-priority remediation target despite unknown CISA KEV status.

Technical ContextAI

Server-Side Request Forgery (CWE-918) occurs when an application fetches remote resources based on user-supplied URLs without proper validation. The vulnerable function uploadRemoteFile in file-storage.service.ts (TypeScript-based service layer, likely Node.js backend) accepts attacker-controlled url arguments and makes server-initiated HTTP requests. This allows attackers to abuse the application server as a proxy to access resources the server can reach but external attackers cannot-such as cloud instance metadata endpoints (169.254.169.254 for AWS/Azure/GCP), internal network services behind firewalls, or localhost services. The affected product BuildingAI (CPE: cpe:2.3:a:bidingcc:buildingai) appears to be an AI-focused application framework with file upload capabilities. The vulnerability exists in the core module's upload service component, suggesting it's a fundamental part of the application's file handling architecture.

RemediationAI

No vendor-released patch identified at time of analysis-BidingCC has not responded to the vulnerability disclosure in GitHub issue #110 despite early notification. In the absence of an official fix, implement the following compensating controls immediately: (1) Disable the Remote Upload API feature entirely if not business-critical by removing or commenting out the uploadRemoteFile endpoint in your BuildingAI configuration; this eliminates the attack surface but breaks remote file upload functionality for legitimate users. (2) If remote upload is required, implement strict allowlist validation on the url parameter-permit only specific approved domains/IP ranges and reject private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, localhost) and cloud metadata endpoints (169.254.169.254); this reduces SSRF risk but requires maintenance as business needs change and may break legitimate internal resource access. (3) Deploy network segmentation to isolate BuildingAI servers from sensitive internal resources and cloud metadata services using firewall rules; this limits SSRF impact but does not prevent exploitation and requires infrastructure changes. (4) Monitor vendor response at https://github.com/BidingCC/BuildingAI for future patches and consider migration to alternative solutions if vendor remains unresponsive. Validate any future patch independently before deployment given vendor communication gap. For technical implementation details, reference the exploit disclosure at https://github.com/BidingCC/BuildingAI/issues/110 and VulDB analysis at https://vuldb.com/vuln/359640/cti.

Share

CVE-2026-7065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy