Arbitrary File Read Vulnerability in Aiven's Google BigQuery Kafka Connect Connector
CVE-2026-23529

7.7HIGH

Key Information:

Vendor

Aiven-open

Status
Bigquery-connector-for-apache-kafka
Vendor
CVE Published:
16 January 2026

What is CVE-2026-23529?

The Google BigQuery Connector developed by Aiven is susceptible to an arbitrary file read vulnerability due to improper validation of user-supplied credential configurations. Users can configure credential JSON files for authentication with Google BigQuery. However, the service fails to validate these external configurations correctly before utilizing them in its authentication process. This oversight allows attackers to exploit crafted credential paths or URLs, potentially leading to arbitrary file reads or server-side request forgery (SSRF) attacks. Ensuring proper validation of credential sources is crucial for mitigating these risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

bigquery-connector-for-apache-kafka < 2.11.0

References

https://github.com/Aiven-Open/bigquery-connector-for-apac...
x_refsource_CONFIRM
https://github.com/Aiven-Open/bigquery-connector-for-apac...
x_refsource_MISC
https://docs.cloud.google.com/support/bulletins#gcp-2025-005
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.