Cyber Resilience

CVE-2026-26120

Medium

Published: 19 March 2026

Published
19 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score 0.0009 25.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26120 is a medium-severity SSRF (CWE-918) vulnerability in Microsoft Bing. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26120 is a server-side request forgery (SSRF) vulnerability in Microsoft Bing, classified under CWE-918. Published on 2026-03-19T21:17:06.513, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope.

An unauthorized attacker can exploit this vulnerability remotely over the network to perform tampering. Exploitation leads to low impacts on confidentiality and availability, with no integrity impact per the CVSS vector.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120 provides guidance on this vulnerability.

EU & UK References

Vulnerability details

Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF is a web application flaw in the public-facing Microsoft Bing service that is directly exploitable over the network with no authentication, matching the initial access technique T1190 Exploit Public-Facing Application. No other Enterprise techniques are directly enabled by the supplied description.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32186Same product: Microsoft Bing
CVE-2025-21355Same product: Microsoft Bing
CVE-2026-33819Same product: Microsoft Bing
CVE-2026-35431Same vendor: Microsoft
CVE-2026-26139Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2026-32210Same vendor: Microsoft
CVE-2026-26150Same vendor: Microsoft
CVE-2026-26121Same vendor: Microsoft
CVE-2025-62207Same vendor: Microsoft

Affected Assets

microsoft
bing
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates untrusted inputs such as URLs in Microsoft Bing to block SSRF exploitation by unauthorized attackers.

prevent

Enforces information flow control policies to restrict server-side requests to unauthorized network destinations exploited in this SSRF vulnerability.

prevent

Monitors and controls outbound communications at system boundaries to mitigate SSRF-induced tampering over the network.

References