Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network.
The SSRF (CWE-918) vulnerability consists of the application server executing network requests based on data supplied by an attacker, without proper validation. An unauthorized attacker can manipulate requests sent by the Microsoft Bing server, directing them to internal resources or other systems. The attack vector is network-based, requires no authentication or user interaction, and the scope of the breach extends beyond the directly attacked component (S:C in the CVSS vector).
An attacker can obtain unauthorized privilege escalation, which combined with maximum impact on confidentiality, integrity and availability (C:H/I:H/A:H) can lead to takeover of service resources or gaining access to internal infrastructure.
Apply patches available from the vendor according to references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32186
Microsoft Bing — versions indicated in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Bing
APPMicrosoftwszystkie wersje
Related vulnerabilities
Zdalna deserializacja danych w Microsoft Bing umożliwia RCE
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code...
User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacke...
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over...
Microsoft Bing Search Spoofing Vulnerability