High severity8.6NVD Advisory· Published Jan 14, 2026· Updated Apr 15, 2026
CVE-2026-0532
CVE-2026-0532
Description
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- osv-coords4 versionspkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.18-bitnamipkg:bitnami/elkpkg:bitnami/kibana
< 8.17.10-r11+ 3 more
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.19.10
- (no CPE)range: < 8.19.10
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.