CVE-2026-0532 is a vulnerability in Elastic Kibana that combines External Control of File Name or Path (CWE-73) with Server-Side Request Forgery (CWE-918). It specifically affects the Google Gemini connector configuration, where the server fails to properly validate a specially crafted credentials JSON payload. This flaw allows an attacker with authenticated access and sufficient privileges (Alerts & Connectors: All) to cause the server to perform arbitrary network requests and disclose arbitrary files on the server filesystem. The vulnerability exists in Kibana versions 8.15.0, 9.0.0, and 9.2.0. The attack vector requires no user interaction but does require privileges to create or modify connectors, which limits exploitation to insiders or compromised accounts with elevated rights. The vulnerability impacts confidentiality by exposing sensitive files and potentially internal network resources via SSRF. The CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) indicates network exploitable, low attack complexity, no user interaction, and high confidentiality impact, with scope changed due to SSRF potentially accessing resources beyond the original security boundary. No public exploits are known yet, but the vulnerability is critical given the widespread use of Kibana in enterprise environments for monitoring and analytics.

For European organizations, this vulnerability poses a significant confidentiality risk, especially for those using Elastic Kibana in environments with sensitive data or critical infrastructure monitoring. Attackers with authenticated access and connector privileges could exfiltrate sensitive configuration files, credentials, or internal network information, potentially facilitating further attacks or data breaches. The SSRF aspect could allow pivoting into internal networks otherwise inaccessible externally, increasing the attack surface. Given Kibana's role in observability and alerting, compromise could undermine trust in monitoring data and incident response capabilities. Organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly at risk. The lack of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score and ease of exploitation by privileged users necessitate urgent attention.

1. Immediately audit and restrict privileges related to creating or modifying connectors in Kibana, limiting them to trusted administrators only. 2. Monitor and log all connector creation and modification activities to detect anomalous or unauthorized configurations. 3. Apply vendor patches or updates as soon as they become available to address this vulnerability. 4. Implement network segmentation and firewall rules to limit Kibana server access to trusted networks and prevent SSRF from reaching sensitive internal resources. 5. Conduct regular security reviews of connector configurations, especially those involving external integrations like Google Gemini. 6. Employ multi-factor authentication and strong access controls to reduce the risk of compromised credentials being used to exploit this vulnerability. 7. Consider disabling or removing unused connectors to reduce the attack surface. 8. Use runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to provide additional defense layers.