PT-2026-3269 · Apache Kafka+1 · Kafka Connect Bigquery Connector+1
Audrey Budryte
·
Published
2026-01-16
·
Updated
2026-01-18
·
CVE-2026-23529
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Kafka Connect BigQuery Connector versions prior to 2.11.0
Description
The Kafka Connect BigQuery Connector, a sink connector from Apache Kafka to Google BigQuery, contains a flaw that could allow arbitrary file reads. This occurs because the service does not validate externally-sourced credential configurations before passing them to authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted
credential source.file paths or credential source.url endpoints, potentially leading to arbitrary file reads or Server-Side Request Forgery (SSRF) attacks. The connector requires Google Cloud credential configurations for authentication to BigQuery services.Recommendations
Upgrade to version 2.11.0 or later.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Google Bigquery
Kafka Connect Bigquery Connector