{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0532", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2025-12-19T16:02:39.148Z", "datePublished": "2026-01-14T10:14:57.415Z", "dateUpdated": "2026-01-14T16:18:47.674Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "8.19.9", "status": "affected", "version": "8.15.0", "versionType": "semver"}, {"lessThanOrEqual": "9.1.9", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.3", "status": "affected", "version": "9.2.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.</p>"}], "value": "External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads."}], "impacts": [{"capecId": "CAPEC-76", "descriptions": [{"lang": "en", "value": "CAPEC-76 Manipulating Web Input to File System Calls"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.6, "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-01-14T10:14:57.415Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524"}], "source": {"discovery": "Elastic"}, "title": "External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T16:17:27.816904Z", "id": "CVE-2026-0532", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T16:18:47.674Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T16:17:27.816904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T16:18:35.826Z"}}], "cna": {"title": "External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-76", "descriptions": [{"lang": "en", "value": "CAPEC-76 Manipulating Web Input to File System Calls"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "8.15.0", "versionType": "semver", "lessThanOrEqual": "8.19.9"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.1.9"}, {"status": "affected", "version": "9.2.0", "versionType": "semver", "lessThanOrEqual": "9.2.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.", "supportingMedia": [{"type": "text/html", "value": "<p>External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-01-14T10:14:57.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0532", "state": "PUBLISHED", "dateUpdated": "2026-01-14T16:18:47.674Z", "dateReserved": "2025-12-19T16:02:39.148Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-01-14T10:14:57.415Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads."}, {"lang": "es", "value": "Control Externo de Nombre o Ruta de Archivo (CWE-73) combinado con Falsificaci\u00f3n de Petici\u00f3n del Lado del Servidor (CWE-918) puede permitir a un atacante causar la divulgaci\u00f3n arbitraria de archivos a trav\u00e9s de una carga \u00fatil JSON de credenciales especialmente dise\u00f1ada en la configuraci\u00f3n del conector de Google Gemini. Esto requiere que un atacante tenga acceso autenticado con privilegios suficientes para crear o modificar conectores (Alertas y Conectores: Todos). El servidor procesa una configuraci\u00f3n sin la validaci\u00f3n adecuada, permitiendo peticiones de red arbitrarias y lecturas de archivos arbitrarias."}], "id": "CVE-2026-0532", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@elastic.co", "type": "Secondary"}]}, "published": "2026-01-14T11:15:50.510", "references": [{"source": "security@elastic.co", "url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "Kibana: Kibana: Arbitrary file disclosure via specially crafted connector configuration", "id": "2429540", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429540"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.", "A flaw was found in Kibana. This vulnerability allows an authenticated attacker, with privileges to create or modify connectors, to disclose arbitrary files. The attacker achieves this by submitting a specially crafted configuration for the Google Gemini connector, which the server processes without proper validation, enabling arbitrary network requests and file reads."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-0532", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "kibana", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "kibana", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2026-01-14T10:14:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0532\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0532\nhttps://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524"], "statement": "This vulnerability is rated Important for Red Hat products as it allows an authenticated attacker with privileges to create or modify connectors in Kibana to disclose arbitrary files. Exploitation requires a specially crafted configuration for the Google Gemini connector. Red Hat products like Enterprise Application Platform, OpenShift Container Platform, Red Hat OpenStack Platform, and Red Hat OpenShift distributed tracing that include Kibana are affected.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T06:23:56.346254+00:00", "value": {"mitigation_remediation": ["Apply the official Elastic Kibana security update that addresses the Google Gemini connector flaw (refer to the 8.19.10\u20119.1\u201110.9.2 security advisories).", "If the connector is not required for business functions, disable or remove it from the Kibana configuration to eliminate the attack surface.", "Restrict the roles that can create or modify connectors to a minimal set of trusted administrators to reduce the attacker's ability to craft malicious configurations."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary file disclosure via privileged connector configuration"}, "threat_synthesis": {"affected_systems": "The flaw affects Elastic Kibana deployments that incorporate the Google Gemini connector. No specific patch versions are listed in the vendor advisory, which implies that all versions using the connector are vulnerable until a corresponding security update is installed. Administrators should review their Kibana installations to confirm whether the connector is present and operating.", "description_and_impact": "The vulnerability arises from a combination of external control of file name or path (CWE\u201173) and server\u2011side request forgery (CWE\u2011918). An attacker who can create or modify the Google Gemini connector configuration can craft a credentials JSON payload that causes the Kibana server to read arbitrary files from the file system or initiate unauthorized network requests. The result is a breach of confidentiality for files that can be accessed by the web process, potentially exposing sensitive configuration data such as credentials.", "risk_and_exploitability": "The CVSS v3.1 score of 8.6 classifies the vulnerability as high severity. The EPSS score of less than 1\u202f% indicates a low probability of exploitation at the time of analysis, and the vulnerability is not included in the CISA KEV catalog. Exploitation requires authenticated write access to connector configurations, so the risk is significant for environments where privileged roles are broad or poorly segregated. Attackers could therefore leverage the flaw to exfiltrate arbitrary files or trigger outbound network traffic from the Kibana host."}}}}, "created": "2026-01-15T08:03:59.798677+00:00", "updated": "2026-04-18T06:30:25.906437+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}