Plataforma
other
Componente
bigquery-connector-for-apache-kafka
Corregido en
2.11.1
CVE-2026-23529 describes an Arbitrary File Access vulnerability within the Google BigQuery Sink connector, a component used to transfer data from Apache Kafka to Google BigQuery. This vulnerability allows attackers to read arbitrary files on the system due to inadequate validation of externally-sourced credential configurations. The issue impacts versions of the connector prior to 2.11.0, and a fix is available in version 2.11.0.
The primary impact of CVE-2026-23529 is the potential for unauthorized file access. An attacker who can manipulate the connector's credential configuration can supply a malicious JSON file containing file paths. The connector, failing to properly validate these paths, will then attempt to read the specified files, potentially exposing sensitive data such as configuration files, database credentials, or even source code. This could lead to data breaches, privilege escalation, and further compromise of the system. The blast radius extends to any system running the vulnerable connector and connected to BigQuery, especially if the connector is deployed in shared environments or with overly permissive access controls.
CVE-2026-23529 was publicly disclosed on 2026-01-16. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability (arbitrary file access) and the potential for easy exploitation once a PoC is developed, it warrants close monitoring.
Organizations utilizing the Aiven Google BigQuery Kafka Connect Sink connector, particularly those with automated deployment pipelines or shared hosting environments, are at heightened risk. Systems relying on the connector for critical data ingestion processes should be prioritized for patching.
• linux / server:
find /opt/kafka/connectors/ -name 'aiven-bigquery-sink-connector.jar' -print0 | xargs -0 grep -i 'credential.json'• generic web:
curl -I <connector_endpoint> | grep -i 'credential.json'disclosure
Estado del Exploit
EPSS
0.03% (8% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-23529 is to immediately upgrade the Google BigQuery Sink connector to version 2.11.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on the credential JSON files provided to the connector. This could involve whitelisting allowed characters, limiting file sizes, and verifying the file's structure. Additionally, review and restrict the permissions granted to the connector's service account within Google Cloud to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to provide a malicious credential file and verifying that the connector rejects it with an appropriate error message.
Actualice el conector Kafka BigQuery a la versión 2.11.0 o superior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos. Asegúrese de validar y desinfectar las configuraciones de credenciales proporcionadas externamente antes de utilizarlas.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-23529 is a HIGH severity vulnerability in the Google BigQuery Sink connector allowing attackers to read arbitrary files due to insufficient credential validation before version 2.11.0.
You are affected if you are using the Google BigQuery Sink connector version 2.11.0 or earlier. Upgrade to 2.11.0 to mitigate the risk.
Upgrade the Google BigQuery Sink connector to version 2.11.0 or later. If immediate upgrade is not possible, implement stricter input validation on credential JSON files.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is considered high severity and should be addressed promptly.
Refer to the Aiven security advisory for details: [https://www.aiven.io/security/advisories](https://www.aiven.io/security/advisories)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.