Cyber Resilience

CVE-2026-7065

Medium

Published: 27 April 2026

Published
27 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7065 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7065 is a server-side request forgery (SSRF) vulnerability affecting BidingCC BuildingAI versions up to 26.0.1. The issue resides in the uploadRemoteFile function within the file packages/core/src/modules/upload/services/file-storage.service.ts of the Remote Upload API component. By manipulating the url argument, an attacker can trick the server into making unintended requests, as classified under CWE-918. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-27.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables server-side request forgery, potentially allowing limited impacts on confidentiality, integrity, and availability as per the CVSS metrics.

Advisories note that the project was informed early via GitHub issue #110 but has not responded. No patches or mitigations are mentioned in available references, including VulDB entries, and the exploit has been publicly disclosed, making it available for use.

BuildingAI appears to be an AI-related project based on its repository name, though no specific AI/ML exploitation details are provided. There is no reported real-world exploitation status beyond the public disclosure.

EU & UK References

Vulnerability details

A vulnerability has been found in BidingCC BuildingAI up to 26.0.1. Impacted is the function uploadRemoteFile of the file packages/core/src/modules/upload/services/file-storage.service.ts of the component Remote Upload API. The manipulation of the argument url leads to server-side request forgery. It is possible…

more

to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing Remote Upload API directly enables remote exploitation of the application (T1190); manipulating the URL parameter allows the server to probe internal hosts/ports, facilitating network service discovery (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2025-28091Shared CWE-918
CVE-2025-1849Shared CWE-918
CVE-2025-27777Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulated 'url' argument in uploadRemoteFile to block SSRF by ensuring only legitimate URLs are processed.

prevent

Enforces information flow policies restricting the server from making unauthorized requests to internal or external destinations via the vulnerable function.

preventdetect

Network boundary protections filter and monitor outbound connections initiated by SSRF exploitation in the Remote Upload API.

References