{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2274", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-02-10T11:57:47.527Z", "datePublished": "2026-02-19T15:21:38.382Z", "dateUpdated": "2026-02-19T19:55:23.508Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "AppSheet Web (Main Server)", "vendor": "AppSheet", "versions": [{"lessThan": "2025-11-23", "status": "affected", "version": "0", "versionType": "date"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Tomas La\u017eauninkas"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><div><div><p>A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.</p></div></div><div>This vulnerability was patched and no customer action is needed.<br></div></span><br>"}], "value": "A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.\n\n\n\n\n\nThis vulnerability was patched and no customer action is needed."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.5, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-02-19T15:21:38.382Z"}, "references": [{"url": "https://discuss.google.dev/t/november-23-2025/332118"}], "source": {"discovery": "EXTERNAL"}, "title": "Arbitrary File Read and SSRF in Google AppSheet", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:55:09.235611Z", "id": "CVE-2026-2274", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:55:23.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2274", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:55:09.235611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:55:17.343Z"}}], "cna": {"title": "Arbitrary File Read and SSRF in Google AppSheet", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Tomas La\u017eauninkas"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AppSheet", "product": "AppSheet Web (Main Server)", "versions": [{"status": "affected", "version": "0", "lessThan": "2025-11-23", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.google.dev/t/november-23-2025/332118"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.\n\n\n\n\n\nThis vulnerability was patched and no customer action is needed.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><div><div><p>A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.</p></div></div><div>This vulnerability was patched and no customer action is needed.<br></div></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-02-19T15:21:38.382Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2274", "state": "PUBLISHED", "dateUpdated": "2026-02-19T19:55:23.508Z", "dateReserved": "2026-02-10T11:57:47.527Z", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "datePublished": "2026-02-19T15:21:38.382Z", "assignerShortName": "GoogleCloud"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.\n\n\n\n\n\nThis vulnerability was patched and no customer action is needed."}, {"lang": "es", "value": "Una SSRF y una vulnerabilidad de lectura arbitraria de archivos en AppSheet Core en Google AppSheet anterior al 23-11-2025 permite a un atacante remoto autenticado leer archivos locales sensibles y acceder a recursos de red internos a trav\u00e9s de solicitudes manipuladas al cl\u00faster de producci\u00f3n.\n\nEsta vulnerabilidad fue parcheada y no se requiere ninguna acci\u00f3n por parte del cliente."}], "id": "CVE-2026-2274", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}, "published": "2026-02-19T16:27:16.287", "references": [{"source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "url": "https://discuss.google.dev/t/november-23-2025/332118"}], "sourceIdentifier": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025-11-23)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AppSheet Web (Main Server)", "source": "cna", "vendor": "AppSheet"}, "product": "appsheet_web_(main_server)", "vendor": "appsheet"}], "analysis": {"en": {"generated_at": "2026-04-18T11:48:13.175970+00:00", "value": {"mitigation_remediation": ["Restrict AppSheet data\u2011request URLs to a whitelist of approved external domains to prevent unintended SSRF.", "Enforce least\u2011privilege and MFA on AppSheet accounts to reduce impact of credential compromise.", "Set up monitoring and alerting on file\u2011access logs to detect anomalous read attempts."], "summary": {"action": "No action", "impact": "Sensitive Data Exposure via Arbitrary File Read and SSRF"}, "threat_synthesis": {"affected_systems": "AppSheet Cloud Web main servers running a release prior to 2025\u201111\u201123 are susceptible. The vulnerability was patched by Google on the stated date, and the fix applies to all subsequent versions of the AppSheet Web service.", "description_and_impact": "This vulnerability is a Server Side Request Forgery (SSRF) and arbitrary file read flaw in the core of Google AppSheet. An authenticated remote attacker can craft requests to the production cluster to read sensitive local files and reach internal network resources. As a result, confidential data may be exfiltrated and unintended components of the internal network could be accessed, leading to a breach of confidentiality and integrity.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.5, categorizing it as high severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires authenticated access, so it is likely that only users with valid AppSheet credentials can leverage the SSRF or file\u2011read capabilities. The overall risk is moderate to low, but the exposure of sensitive data remains a concern if login credentials are compromised."}}}}, "created": "2026-02-20T10:06:31.698206+00:00", "updated": "2026-04-18T12:00:05.876352+00:00", "vendors": ["appsheet", "appsheet$PRODUCT$appsheet_web_(main_server)"]}