External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector (ESA-2026-05)
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
Affected Versions:
- 8.x: All versions from 8.15.0 up to and including 8.19.9
- 9.x:
- All versions from 9.0.0 up to and including 9.1.9
- All versions from 9.2.0 up to and including 9.2.3
Solutions and Mitigations:
Users should upgrade to version 8.19.10, 9.1.10, 9.2.4.
For Users that Cannot Upgrade:
Customers who cannot upgrade, can disable the connector type via setting the appropriate value to xpack.actions.enabledActionTypes in Kibana configuration.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: High (8.6) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE ID: CVE-2026-0532
Problem Type: CWE-918 - Server-Side Request Forgery (SSRF)
Impact: CAPEC-664 - Server-Side Request Forgery (SSRF), CAPEC-76 - Manipulating Web Input to File System Calls