CVE-2026-7065
Received Received - Intake
Server-Side Request Forgery in BidingCC BuildingAI Remote Upload API

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in BidingCC BuildingAI up to 26.0.1. Impacted is the function uploadRemoteFile of the file packages/core/src/modules/upload/services/file-storage.service.ts of the component Remote Upload API. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7065
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bidingcc buildingai to 26.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7065 is a Server-Side Request Forgery (SSRF) vulnerability found in the BuildingAI application's Remote Upload API, specifically in the uploadRemoteFile function. The vulnerability occurs because the API accepts a URL parameter that is only validated for correct format but not restricted in terms of network location. This allows an attacker to supply a malicious URL that the server will fetch, potentially accessing internal network resources or cloud metadata services.

The backend uses the attacker-controlled URL directly in an HTTP request without verifying if the URL points to internal or sensitive resources. The endpoint is publicly accessible and does not require authentication, making it possible to exploit remotely.

This vulnerability can be exploited by sending a specially crafted POST request with a URL controlled by the attacker, causing the server to make requests to internal services or metadata endpoints, which can lead to information disclosure.

Impact Analysis

This vulnerability can have several impacts including high confidentiality risks due to unauthorized access to internal services and cloud metadata, which may expose sensitive information about the infrastructure.

There are also medium risks to integrity and availability depending on what internal services are accessible and whether resource exhaustion or other disruptions can be caused by the SSRF attack.

  • Potential disclosure of internal network details and cloud metadata.
  • Possible unauthorized access to internal services.
  • Risk of service disruption or resource exhaustion.
Detection Guidance

This vulnerability can be detected by testing the Remote Upload API endpoint exposed at the POST route "/upload/remote" for Server-Side Request Forgery (SSRF) behavior. Specifically, you can send crafted POST requests with JSON bodies containing URLs controlled by you to see if the server fetches those URLs.

A proof-of-concept involves sending a POST request with a JSON body specifying an attacker-controlled URL, such as an HTTP server you control, and observing if the server makes a request to that URL.

You can also attempt to probe internal services by specifying URLs like http://127.0.0.1:2375/version to check if the server fetches internal network resources, indicating SSRF.

Example curl command to test the vulnerability:

  • curl -X POST https://<target-host>/upload/remote -H "Content-Type: application/json" -d '{"url":"http://your-controlled-server/path"}'

Monitoring server logs for outbound requests triggered by such inputs can help confirm exploitation.

Mitigation Strategies

Immediate mitigation steps include disabling the public remote upload endpoint if it is not necessary.

If the endpoint must remain enabled, implement strict allowlists for destination URLs to restrict which URLs the server can fetch.

Block requests to loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata IP addresses after DNS resolution.

Enforce protocol restrictions to allow only HTTP and HTTPS schemes.

Add authentication and rate limiting to the remote upload API to reduce abuse.

Impose response size and timeout limits on the server-side requests to prevent resource exhaustion.

Consider replacing the permissive URL validation with a policy-based validator that resolves hostnames and verifies final IP addresses against deny lists, including handling redirects.

A more secure approach is to introduce a signed upload flow where the backend does not fetch arbitrary user-supplied URLs.

Compliance Impact

The vulnerability allows unauthenticated Server-Side Request Forgery (SSRF) which can lead to high confidentiality risks by enabling attackers to enumerate internal services and access cloud metadata endpoints. This exposure of sensitive internal information could potentially lead to unauthorized access to personal or protected data.

Such unauthorized access and potential data leakage could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure.

Mitigations such as disabling the vulnerable endpoint, implementing strict allowlists, blocking internal IP ranges, adding authentication, and rate limiting are necessary to reduce the risk and help maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart