CVE-2026-0532

HIGH

Kibana 8.15.0-8.19.8, 9.0.0-9.1.8, 9.2.0-9.2.2 - Authenticated Arbitrary File Read and SSRF via Google Gemini Connector

Title source: llm

Description

External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.

References (1)

Core 1

Core References

Various Sources

https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524

Scores

CVSS v3 8.6

EPSS 0.0005

EPSS Percentile 17.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

Elastic/Kibana 8.15.0 - 8.19.9

Elastic/Kibana 9.0.0 - 9.1.9

Elastic/Kibana 9.2.0 - 9.2.3

Published Jan 14, 2026

Tracked Since Feb 18, 2026