CVE-2026-26120

Medium

Published: 19 March 2026

Published

19 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

EPSS Score 0.0009 24.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26120 is a medium-severity SSRF (CWE-918) vulnerability in Microsoft Bing. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates untrusted inputs such as URLs in Microsoft Bing to block SSRF exploitation by unauthorized attackers.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow control policies to restrict server-side requests to unauthorized network destinations exploited in this SSRF vulnerability.

SC-7 Boundary Protection partial match

prevent

Monitors and controls outbound communications at system boundaries to mitigate SSRF-induced tampering over the network.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF is a web application flaw in the public-facing Microsoft Bing service that is directly exploitable over the network with no authentication, matching the initial access technique T1190 Exploit Public-Facing Application. No other Enterprise techniques are directly enabled by the supplied description.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.

Deeper analysisAI

CVE-2026-26120 is a server-side request forgery (SSRF) vulnerability in Microsoft Bing, classified under CWE-918. Published on 2026-03-19T21:17:06.513, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope.

An unauthorized attacker can exploit this vulnerability remotely over the network to perform tampering. Exploitation leads to low impacts on confidentiality and availability, with no integrity impact per the CVSS vector.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120 provides guidance on this vulnerability.

Details

CWE(s): CWE-918

Affected Products

microsoft

bing

all versions

CVEs Like This One

CVE-2026-32186Same product: Microsoft Bing

CVE-2026-33819Same product: Microsoft Bing

CVE-2025-21355Same product: Microsoft Bing

CVE-2025-21385Same vendor: Microsoft

CVE-2026-32210Same vendor: Microsoft

CVE-2026-35431Same vendor: Microsoft

CVE-2026-26139Same vendor: Microsoft

CVE-2025-21177Same vendor: Microsoft

CVE-2026-32169Same vendor: Microsoft

CVE-2025-59503Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120
Vendor Advisory · secure@microsoft.com