CVE-2026-7065
Server-Side Request Forgery in BidingCC BuildingAI Remote Upload API
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bidingcc | buildingai | to 26.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7065 is a Server-Side Request Forgery (SSRF) vulnerability found in the BuildingAI application's Remote Upload API, specifically in the uploadRemoteFile function. The vulnerability occurs because the API accepts a URL parameter that is only validated for correct format but not restricted in terms of network location. This allows an attacker to supply a malicious URL that the server will fetch, potentially accessing internal network resources or cloud metadata services.
The backend uses the attacker-controlled URL directly in an HTTP request without verifying if the URL points to internal or sensitive resources. The endpoint is publicly accessible and does not require authentication, making it possible to exploit remotely.
This vulnerability can be exploited by sending a specially crafted POST request with a URL controlled by the attacker, causing the server to make requests to internal services or metadata endpoints, which can lead to information disclosure.
How can this vulnerability impact me? :
This vulnerability can have several impacts including high confidentiality risks due to unauthorized access to internal services and cloud metadata, which may expose sensitive information about the infrastructure.
There are also medium risks to integrity and availability depending on what internal services are accessible and whether resource exhaustion or other disruptions can be caused by the SSRF attack.
- Potential disclosure of internal network details and cloud metadata.
- Possible unauthorized access to internal services.
- Risk of service disruption or resource exhaustion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Remote Upload API endpoint exposed at the POST route "/upload/remote" for Server-Side Request Forgery (SSRF) behavior. Specifically, you can send crafted POST requests with JSON bodies containing URLs controlled by you to see if the server fetches those URLs.
A proof-of-concept involves sending a POST request with a JSON body specifying an attacker-controlled URL, such as an HTTP server you control, and observing if the server makes a request to that URL.
You can also attempt to probe internal services by specifying URLs like http://127.0.0.1:2375/version to check if the server fetches internal network resources, indicating SSRF.
Example curl command to test the vulnerability:
- curl -X POST https://<target-host>/upload/remote -H "Content-Type: application/json" -d '{"url":"http://your-controlled-server/path"}'
Monitoring server logs for outbound requests triggered by such inputs can help confirm exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the public remote upload endpoint if it is not necessary.
If the endpoint must remain enabled, implement strict allowlists for destination URLs to restrict which URLs the server can fetch.
Block requests to loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata IP addresses after DNS resolution.
Enforce protocol restrictions to allow only HTTP and HTTPS schemes.
Add authentication and rate limiting to the remote upload API to reduce abuse.
Impose response size and timeout limits on the server-side requests to prevent resource exhaustion.
Consider replacing the permissive URL validation with a policy-based validator that resolves hostnames and verifies final IP addresses against deny lists, including handling redirects.
A more secure approach is to introduce a signed upload flow where the backend does not fetch arbitrary user-supplied URLs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated Server-Side Request Forgery (SSRF) which can lead to high confidentiality risks by enabling attackers to enumerate internal services and access cloud metadata endpoints. This exposure of sensitive internal information could potentially lead to unauthorized access to personal or protected data.
Such unauthorized access and potential data leakage could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure.
Mitigations such as disabling the vulnerable endpoint, implementing strict allowlists, blocking internal IP ranges, adding authentication, and rate limiting are necessary to reduce the risk and help maintain compliance with these standards.