CVE-2026-0532 HIGH

CVE-2026-0532: External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector

Vendor Elastic

Product Kibana

Weakness CWE-918 · SSRF

Published January 14, 2026

Last update January 14, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.

Key dates

02Disclosure timeline

January 14, 2026 CVE published

January 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-0532

Related vulnerabilities

Identifiers

CVE CVE-2026-0532

CWE CWE-918

CVSS 8.6 / HIGH

Affected versions

Vendor Elastic

Product Kibana

Affected ≥ 8.15.0 and ≤ 8.19.9

Vendor Elastic

Product Kibana

Affected ≥ 9.0.0 and ≤ 9.1.9

Vendor Elastic

Product Kibana

Affected ≥ 9.2.0 and ≤ 9.2.3

CVE-2026-0532: External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector

01Description

02Disclosure timeline

03References

04Related CVE