{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26120", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.911Z", "datePublished": "2026-03-19T21:06:23.690Z", "dateUpdated": "2026-03-19T21:21:09.404Z"}, "containers": {"cna": {"title": "Microsoft Bing Tampering Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:bing:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Bing", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-19T21:21:09.404Z"}, "references": [{"name": "Microsoft Bing Tampering Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}}}

{}

{"cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network."}], "id": "CVE-2026-26120", "lastModified": "2026-03-19T21:17:06.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T21:17:06.513", "references": [{"source": "secure@microsoft.com", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Bing", "source": "cna", "vendor": "Microsoft"}, "product": "bing", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-19T22:23:42.058719+00:00", "value": {"mitigation_remediation": ["Check the Microsoft Update Guide for this vulnerability and apply any available security update for Microsoft Bing", "If an update is not yet available, monitor the Microsoft Bing service for unexpected outbound requests and consider implementing network segmentation to limit outbound traffic"], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery can lead to unauthorized tampering of internal resources"}, "threat_synthesis": {"affected_systems": "Microsoft Bing is affected. Specific product version information is not provided in the data.", "description_and_impact": "The vulnerability is a server\u2011side request forgery (CWE\u2011918) in Microsoft Bing that allows an unauthorized attacker to issue requests over the network on behalf of the server. This can result in tampering with internal resources or data that the Bing service can access.", "risk_and_exploitability": "The CVSS score for the vulnerability is 6.5, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to interact with the Bing service in order to trigger the SSRF. The attack is therefore likely to be limited to environments where the Bing service is publicly accessible or otherwise exposed to external traffic."}}}}, "created": "2026-03-20T08:55:58.502449+00:00", "updated": "2026-03-20T11:06:08.332048+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$bing"]}