cbcvebase.
CVE-2026-0532
published 2026-01-14

CVE-2026-0532: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure…

PriorityP260high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.42%
33.4th percentile
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.

Affected

3 ranges
VendorProductVersion rangeFixed in
elastickibana8.15.0 – 8.19.9
elastickibana9.0.0 – 9.1.9
elastickibana9.2.0 – 9.2.3

Detection & IOCsextracted from sources · hover to see the quote

  • Look for authenticated requests to create or modify Kibana connectors (Alerts & Connectors: All privilege) that include a Google Gemini connector configuration with a crafted credentials JSON payload — this is the attack vector for arbitrary file disclosure and SSRF.
  • Monitor Kibana connector creation/modification API calls where the Google Gemini connector configuration payload contains file path references or internal/loopback network addresses in the credentials JSON field, indicating SSRF or local file read attempts.
  • Alert on Kibana users exercising 'Alerts & Connectors: All' privileges who submit connector configurations — especially for the Google Gemini connector type — as exploitation requires this specific privilege level.
  • ·Exploitation requires authenticated access; unauthenticated attackers cannot exploit this vulnerability. Scope detection efforts to authenticated sessions with elevated connector privileges.
  • ·The affected component is specifically the Google Gemini connector in Kibana. Several Red Hat packages (openshift-logging kibana6, puppet-kibana3, JBoss EAP kibana) are listed as NOT affected; only rhosdt/tempo-jaeger-query-rhel8 is confirmed affected in the Red Hat ecosystem.
  • ·No official mitigation is currently available from Red Hat that meets their deployment and stability criteria — patching is the primary remediation path.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.