CVE-2026-0532: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker
Summary
A vulnerability in the Google Gemini connector allows an authenticated attacker with connector-creation privileges to read arbitrary files on the server by sending a specially crafted JSON configuration. The flaw combines two weaknesses: improper control over file paths (CWE-73, where user input is used unsafely to access files) and server-side request forgery (SSRF, where a server is tricked into making unintended network requests). The server fails to validate the configuration before processing it, enabling both unauthorized file access and arbitrary network requests.
Vulnerability Details
8.6(high)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-0532
First tracked: February 15, 2026 at 08:51 PM
Classified by LLM (prompt v3) · confidence: 92%