CVE-2026-0532
Deferred Deferred - Pending Action

Path Traversal and SSRF in Google Gemini Connector Enables Arbitrary File Disclosure

Vulnerability report for CVE-2026-0532, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-14

Last updated on: 2026-06-30

Assigner: Elastic

Description

External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-14
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.15.0 (inc) to 8.19.9 (inc)
elastic kibana From 9.0.0 (inc) to 9.1.9 (inc)
elastic kibana From 9.2.0 (inc) to 9.2.3 (inc)
elastic kibana 8.19.10
elastic kibana 9.1.10
elastic kibana 9.2.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves External Control of File Name or Path combined with Server-Side Request Forgery (SSRF) in the Google Gemini connector of Kibana. An attacker who has authenticated access with privileges to create or modify connectors can submit a specially crafted credentials JSON payload. Due to improper validation of this configuration by the server, the attacker can cause arbitrary network requests and disclose arbitrary files on the server. Essentially, the attacker can manipulate file paths and induce SSRF attacks, potentially exposing sensitive files and internal network resources. [1]

Impact Analysis

This vulnerability can allow an attacker with sufficient privileges to disclose arbitrary files on the server and make arbitrary network requests. This could lead to exposure of sensitive files and internal network resources, potentially compromising the confidentiality of data and the security of the internal network environment. [1]

Detection Guidance

Detection involves checking for the presence of vulnerable Kibana versions (8.15.0 through 8.19.9, 9.0.0 through 9.1.9, and 9.2.0 through 9.2.3) and monitoring for unusual or unauthorized modifications to Google Gemini connector configurations, especially those involving credentials JSON payloads. Specific commands are not provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Kibana to versions 8.19.10, 9.1.10, or 9.2.4, which contain the fix for this vulnerability. If upgrading is not possible immediately, disable the Google Gemini connector by setting the appropriate value in the `xpack.actions.enabledActionTypes` configuration. Elastic Cloud Serverless environments have already been patched. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0532. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart