CVE-2026-7065
Published: 27 April 2026
Summary
CVE-2026-7065 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7065 is a server-side request forgery (SSRF) vulnerability affecting BidingCC BuildingAI versions up to 26.0.1. The issue resides in the uploadRemoteFile function within the file packages/core/src/modules/upload/services/file-storage.service.ts of the Remote Upload API component. By manipulating the url argument, an attacker can trick the server into making unintended requests, as classified under CWE-918. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-27.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables server-side request forgery, potentially allowing limited impacts on confidentiality, integrity, and availability as per the CVSS metrics.
Advisories note that the project was informed early via GitHub issue #110 but has not responded. No patches or mitigations are mentioned in available references, including VulDB entries, and the exploit has been publicly disclosed, making it available for use.
BuildingAI appears to be an AI-related project based on its repository name, though no specific AI/ML exploitation details are provided. There is no reported real-world exploitation status beyond the public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25735
Vulnerability details
A vulnerability has been found in BidingCC BuildingAI up to 26.0.1. Impacted is the function uploadRemoteFile of the file packages/core/src/modules/upload/services/file-storage.service.ts of the component Remote Upload API. The manipulation of the argument url leads to server-side request forgery. It is possible…
more
to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Remote Upload API directly enables remote exploitation of the application (T1190); manipulating the URL parameter allows the server to probe internal hosts/ports, facilitating network service discovery (T1046).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the manipulated 'url' argument in uploadRemoteFile to block SSRF by ensuring only legitimate URLs are processed.
Enforces information flow policies restricting the server from making unauthorized requests to internal or external destinations via the vulnerable function.
Network boundary protections filter and monitor outbound connections initiated by SSRF exploitation in the Remote Upload API.