Description
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery allowing unauthorized tampering over the network
Action: Apply Patch
AI Analysis

Impact

A server‑side request forgery vulnerability in Microsoft Bing permits an attacker to forge requests that the Bing service forwards to arbitrary network destinations. This can lead to tampering with internal resources, such as modifying data, disrupting services, or changing configurations, thereby compromising integrity and availability.

Affected Systems

The affected product is Microsoft Bing. Specific affected versions are not listed in the vendor’s advisory, so all deployed instances of Bing should be treated as potentially vulnerable until a patch is issued.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. Its EPSS score is below 1 %, suggesting that exploitation is currently unlikely. The issue is not listed in the CISA KEV catalog. Because the flaw is server‑side, the likely attack vector involves an attacker sending a specially crafted request to Bing’s publicly exposed interface, which triggers the service to forward the request to an internal address—a typical SSRF exploitation pattern. No publicly available exploit has been identified, and the damage would be confined to the networks reachable from Bing’s infrastructure without additional privilege escalation.

Generated by OpenCVE AI on April 2, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Microsoft update or patch that addresses the SSRF flaw in Bing as soon as it is released
  • If a patch is unavailable, restrict the outbound traffic from the Bing service to the minimum required set of destinations using firewall or network segmentation
  • Enable logging of outbound requests made by Bing and monitor for anomalous destinations or patterns
  • Consider implementing application‑level request filtering to reject URLs that target internal IP ranges
  • Regularly verify the version of Bing in use and stay informed about subsequent security notices from Microsoft

Generated by OpenCVE AI on April 2, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:bing:-:*:*:*:*:*:*:*

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.
Title Microsoft Bing Tampering Vulnerability
First Time appeared Microsoft
Microsoft bing
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:bing:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft bing
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C'}

Subscriptions

Microsoft Bing
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:25:59.042Z

Reserved: 2026-02-11T15:52:13.911Z

Link: CVE-2026-26120

cve-icon Vulnrichment

Updated: 2026-03-21T03:28:14.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:06.513

Modified: 2026-04-01T15:12:38.017

Link: CVE-2026-26120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:45Z

Weaknesses