CVE-2026-2274 PUBLISHED

Arbitrary File Read and SSRF in Google AppSheet

Assigner: GoogleCloud
Reserved: 10.02.2026 Published: 19.02.2026 Updated: 19.02.2026

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster.

This vulnerability was patched and no customer action is needed.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	AppSheet
Product	AppSheet Web (Main Server)
Versions	Default: unaffected affected from 0 to 2025-11-23 (excl.)

Credits

Tomas Lažauninkas reporter

References

https://discuss.google.dev/t/november-23-2025/332118

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE

Impacts

CAPEC-664 Server Side Request Forgery