CVE-2026-2274 HIGH

CVE-2026-2274: Arbitrary File Read and SSRF in Google AppSheet

Vendor Appsheet
Product AppSheet Web (Main Server)
Weakness CWE-918 · SSRF
Published February 19, 2026
Last update February 19, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear

What the vulnerability does

01Description

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 19, 2026 Record updated

Related vulnerabilities

04Related CVE