CVE-2026-2274
Received Received - Intake
SSRF and File Read in Google AppSheet Core Enables Data Exposure

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: GoogleCloud

Description
A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2274
EUVD
EUVD-2026-8211
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google appsheet to 2025-11-23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) and Arbitrary File Read issue found in the AppSheet Core component of Google AppSheet before the patch date of 2025-11-23.

An authenticated remote attacker can exploit this vulnerability by sending specially crafted requests to the production cluster, which allows them to read sensitive local files and access internal network resources that should normally be protected.

Impact Analysis

The impact of this vulnerability includes unauthorized access to sensitive local files and internal network resources, which can lead to exposure of confidential information.

Since the attacker must be authenticated, the risk is limited to users with some level of access, but the potential for data leakage and internal network compromise remains significant.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

This vulnerability was patched in Google AppSheet prior to 2025-11-23, and no customer action is needed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart