CVE-2026-2274

Severity CVSS v4.0:

HIGH

Type:

CWE-918 Server-Side Request Forgery (SSRF)

Publication date:

19/02/2026

Last modified:

15/04/2026

Description

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear CVSS v4.0 Severity and Metrics:

Base Score: 8.50 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Provider Urgency (U): Clear

Base Score 4.0

8.50

Severity 4.0

HIGH

References to Advisories, Solutions, and Tools

https://discuss.google.dev/t/november-23-2025/332118