CVE-2026-2274 | THREATINT

Description

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.

PUBLISHED Reserved 2026-02-10 | Published 2026-02-19 | Updated 2026-02-19 | Assigner GoogleCloud

HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

Any version before 2025-11-23

affected

Credits

Tomas Lažauninkas reporter

References

discuss.google.dev/t/november-23-2025/332118

cve.org (CVE-2026-2274)

nvd.nist.gov (CVE-2026-2274)

Download JSON