CVE-2026-0532
published 2026-01-14CVE-2026-0532: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure…
PriorityP260high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.42%
33.4th percentile
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | 8.15.0 – 8.19.9 | — |
| elastic | kibana | 9.0.0 – 9.1.9 | — |
| elastic | kibana | 9.2.0 – 9.2.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for authenticated requests to create or modify Kibana connectors (Alerts & Connectors: All privilege) that include a Google Gemini connector configuration with a crafted credentials JSON payload — this is the attack vector for arbitrary file disclosure and SSRF. ↗
- →Monitor Kibana connector creation/modification API calls where the Google Gemini connector configuration payload contains file path references or internal/loopback network addresses in the credentials JSON field, indicating SSRF or local file read attempts. ↗
- →Alert on Kibana users exercising 'Alerts & Connectors: All' privileges who submit connector configurations — especially for the Google Gemini connector type — as exploitation requires this specific privilege level. ↗
- ·Exploitation requires authenticated access; unauthenticated attackers cannot exploit this vulnerability. Scope detection efforts to authenticated sessions with elevated connector privileges. ↗
- ·The affected component is specifically the Google Gemini connector in Kibana. Several Red Hat packages (openshift-logging kibana6, puppet-kibana3, JBoss EAP kibana) are listed as NOT affected; only rhosdt/tempo-jaeger-query-rhel8 is confirmed affected in the Red Hat ecosystem. ↗
- ·No official mitigation is currently available from Red Hat that meets their deployment and stability criteria — patching is the primary remediation path. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Kibana: Kibana: Arbitrary file disclosure via specially crafted connector configuration
vendor_redhat·2026-01-14·CVSS 8.6
CVE-2026-0532 [HIGH] CWE-918 Kibana: Kibana: Arbitrary file disclosure via specially crafted connector configuration
Kibana: Kibana: Arbitrary file disclosure via specially crafted connector configuration
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
A flaw was found in Kibana. This vulnerability allows an authenticated attacker, with privileges to create or modify connectors, to disclose arbitrary files. The attacker achieves
GHSA
GHSA-pgjq-pwjv-wjpx: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file discl
ghsa_unreviewed·2026-01-14
CVE-2026-0532 [HIGH] CWE-918 GHSA-pgjq-pwjv-wjpx: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file discl
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
No detection rules found.
No public exploits indexed.
2026-01-14
Published