Description
A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.





This vulnerability was patched and no customer action is needed.
Published: 2026-02-19
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure via Arbitrary File Read and SSRF
Action: No action
AI Analysis

Impact

This vulnerability is a Server Side Request Forgery (SSRF) and arbitrary file read flaw in the core of Google AppSheet. An authenticated remote attacker can craft requests to the production cluster to read sensitive local files and reach internal network resources. As a result, confidential data may be exfiltrated and unintended components of the internal network could be accessed, leading to a breach of confidentiality and integrity.

Affected Systems

AppSheet Cloud Web main servers running a release prior to 2025‑11‑23 are susceptible. The vulnerability was patched by Google on the stated date, and the fix applies to all subsequent versions of the AppSheet Web service.

Risk and Exploitability

The flaw carries a CVSS score of 8.5, categorizing it as high severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires authenticated access, so it is likely that only users with valid AppSheet credentials can leverage the SSRF or file‑read capabilities. The overall risk is moderate to low, but the exposure of sensitive data remains a concern if login credentials are compromised.

Generated by OpenCVE AI on April 18, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict AppSheet data‑request URLs to a whitelist of approved external domains to prevent unintended SSRF.
  • Enforce least‑privilege and MFA on AppSheet accounts to reduce impact of credential compromise.
  • Set up monitoring and alerting on file‑access logs to detect anomalous read attempts.

Generated by OpenCVE AI on April 18, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Appsheet
Appsheet appsheet Web (main Server)
Vendors & Products Appsheet
Appsheet appsheet Web (main Server)

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.
Title Arbitrary File Read and SSRF in Google AppSheet
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear'}

Subscriptions

Appsheet Appsheet Web (main Server)
cve-icon MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published:

Updated: 2026-02-19T19:55:23.508Z

Reserved: 2026-02-10T11:57:47.527Z

Link: CVE-2026-2274

cve-icon Vulnrichment

Updated: 2026-02-19T19:55:17.343Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T16:27:16.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses