CVE-2026-0532
📋 TL;DR
This vulnerability allows authenticated attackers with connector management privileges to read arbitrary files and make arbitrary network requests by exploiting improper validation in the Google Gemini connector configuration. It affects Kibana instances where users can create or modify connectors. The combination of path traversal and SSRF enables sensitive data exposure.
💻 Affected Systems
- Kibana
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through credential theft, sensitive file disclosure (including configuration files with secrets), and internal network reconnaissance leading to lateral movement.
Likely Case
Unauthorized access to sensitive files containing credentials, configuration data, or proprietary information, potentially enabling further attacks within the environment.
If Mitigated
Limited impact due to restricted connector permissions, network segmentation, and proper input validation preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access with specific privileges. The vulnerability combines two well-understood weaknesses (CWE-73 and CWE-918).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.19.10, 9.1.10, 9.2.4 (based on reference URL)
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Download patched version from Elastic website. 3. Stop Kibana service. 4. Install updated version. 5. Restart Kibana service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict Connector Privileges
allLimit 'Alerts & Connectors: All' privilege to only necessary users
Disable Google Gemini Connector
allRemove or disable the vulnerable connector if not required
🧯 If You Can't Patch
- Implement strict network segmentation to limit Kibana's outbound network access
- Apply principle of least privilege for all Kibana users and audit connector permissions
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via API: curl -X GET 'http://localhost:5601/api/status' or review installed version in Kibana UI under Management > Stack Management > License ManagementCheck Version:
curl -X GET 'http://localhost:5601/api/status' | grep -o '"number":"[^"]*"'Verify Fix Applied:
Confirm version is 8.19.10, 9.1.10, 9.2.4 or later using same methods📡 Detection & Monitoring
Log Indicators:
- Unusual connector creation/modification events
- Unexpected file read operations in Kibana logs
- Suspicious outbound network requests from Kibana
Network Indicators:
- Kibana making unexpected HTTP requests to internal systems
- Unusual file:// protocol usage in Kibana network traffic
SIEM Query:
source="kibana.log" AND ("connector" AND ("create" OR "update")) AND user NOT IN [allowed_users]