Arbitrary File Read and SSRF in Google AppSheet_CVE-2026-2274

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear

Description

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.

This vulnerability was patched and no customer action is needed.

AI Analysis

SSRF and Arbitrary File Read vulnerability in AppSheet Core

Basic Information

ID CVE-2026-2274

Source GoogleCloud

Published Feb 19, 2026 at 15:21

Affected Product

Vendor AppSheet

Product AppSheet Web (Main Server)

Affected Versions AppSheet AppSheet Web (Main Server) 0

CWE Classification

CWE-918

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor Google

Product AppSheet

Version prior to 2025-11-23

References

discuss.google.dev /t/november-23-2025/332118

{
    "lastseen": "",
    "description": "A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.\n\n\n\n\n\nThis vulnerability was patched and no customer action is needed.",
    "published": "2026-02-19T15:21:38.382Z",
    "modified": "2026-02-19T15:21:38.382Z",
    "type": "cve",
    "title": "Arbitrary File Read and SSRF in Google AppSheet",
    "source": "GoogleCloud",
    "references": "https://discuss.google.dev/t/november-23-2025/332118",
    "id": "CVE-2026-2274",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "AppSheet AppSheet Web (Main Server) 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AppSheet Web (Main Server)",
    "version": "0",
    "vendor": "AppSheet",
    "ai_description": "SSRF and Arbitrary File Read vulnerability in AppSheet Core",
    "ai_severity": "High",
    "ai_vendor": "Google",
    "ai_product": "AppSheet",
    "ai_version": "prior to 2025-11-23",
    "ai_score": 8.5
}