{"data":{"id":"4f187a7f-2c3a-4549-9091-c078bf8bc8c9","title":"CVE-2026-0532: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker","summary":"A vulnerability in the Google Gemini connector allows an authenticated attacker with connector-creation privileges to read arbitrary files on the server by sending a specially crafted JSON configuration. The flaw combines two weaknesses: improper control over file paths (CWE-73, where user input is used unsafely to access files) and server-side request forgery (SSRF, where a server is tricked into making unintended network requests). The server fails to validate the configuration before processing it, enabling both unauthorized file access and arbitrary network requests.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-0532","publishedAt":"2026-01-14T11:15:50.510Z","cveId":"CVE-2026-0532","cweIds":["CWE-918"],"cvssScore":"8.6","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["Google"],"affectedVendorsRaw":["Google Gemini"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00045,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}