CVE-2026-23529 Overview
CVE-2026-23529 is a critical security vulnerability affecting the Aiven BigQuery Connector for Apache Kafka, an implementation of a sink connector used to transfer data from Apache Kafka to Google BigQuery. Prior to version 2.11.0, the connector contains an arbitrary file read vulnerability that can also be leveraged for Server-Side Request Forgery (SSRF) attacks.
The vulnerability stems from insufficient validation of externally-sourced credential configurations before they are processed by Google authentication libraries. The connector requires Google Cloud credential configurations for authentication to BigQuery services, and during connector configuration, users can supply credential JSON files. An attacker can exploit this weakness by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, enabling arbitrary file reads from the server or SSRF attacks against internal network resources.
Critical Impact
Attackers with low-privilege access can read arbitrary files from affected systems or perform SSRF attacks, potentially exposing sensitive credentials, configuration files, and internal services.
Affected Products
- Aiven BigQuery Connector for Apache Kafka versions prior to 2.11.0
- Kafka Connect deployments using vulnerable BigQuery Sink connector
- Google Cloud environments utilizing the vulnerable connector for data ingestion
Discovery Timeline
- January 16, 2026 - CVE-2026-23529 published to NVD
- January 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23529
Vulnerability Analysis
This vulnerability is classified under CWE-73 (External Control of File Name or Path), which occurs when an application allows external input to control file system paths without proper validation. In the context of the BigQuery Sink connector, the flaw manifests in how the service processes Google Cloud credential configurations.
The attack is network-accessible and requires only low-level privileges to exploit, though no user interaction is necessary. When exploited, the vulnerability can affect resources beyond the security scope of the vulnerable component, allowing attackers to read highly sensitive data from the compromised system.
The impact is primarily confidentiality-focused, as attackers can extract sensitive files such as configuration files, private keys, service account credentials, and other sensitive data stored on systems running the vulnerable connector.
Root Cause
The root cause lies in the connector's failure to validate externally-sourced credential configurations before passing them to Google authentication libraries. The connector accepts credential JSON files that may contain malicious credential_source.file or credential_source.url values, which are then processed by the underlying Google Cloud client libraries without sanitization.
This allows attackers to specify arbitrary file paths or URL endpoints that the connector will attempt to read during the authentication process, effectively turning the connector into a proxy for accessing local files or making arbitrary HTTP requests.
Attack Vector
The attack vector involves providing a malicious credential configuration file to the BigQuery Sink connector. An attacker with the ability to configure connectors can craft a credential JSON file containing:
- Arbitrary File Read: A credential_source.file path pointing to sensitive system files (e.g., /etc/passwd, /etc/shadow, application configuration files, private keys)
- SSRF Attack: A credential_source.url endpoint pointing to internal services, cloud metadata endpoints (e.g., http://169.254.169.254/), or other internal network resources
The security patch introduces proper validation through the addition of io.aiven.commons:google-utils and io.aiven.commons:system dependencies, which provide secure handling of credential configurations:
<groupId>com.wepay.kcbq</groupId>
<artifactId>kcbq-parent</artifactId>
<version>2.11.0-SNAPSHOT</version>
- <relativePath>..</relativePath>
</parent>
<url>https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/</url>
<artifactId>kcbq-connector</artifactId>
<name>kafka-connect-bigquery</name>
<organization>
- <name>Aiven</name>
+ <name>Aiven, OY</name>
<url>https://www.aiven.io</url>
</organization>
<properties>
<main.dir>${project.parent.basedir}</main.dir>
</properties>
<dependencies>
+ <dependency>
+ <groupId>io.aiven.commons</groupId>
+ <artifactId>google-utils</artifactId>
+ <scope>compile</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>io.aiven.commons</groupId>
+ <artifactId>system</artifactId>
+ <scope>compile</scope>
+ </dependency>
+
Source: GitHub Commit Update
Detection Methods for CVE-2026-23529
Indicators of Compromise
- Unusual file access patterns from Kafka Connect processes, particularly reads of sensitive system files like /etc/passwd, /etc/shadow, or credential files
- Connector configuration changes that include suspicious credential_source.file paths containing path traversal sequences (../)
- Outbound HTTP requests from Kafka Connect to internal IP ranges or cloud metadata endpoints (e.g., 169.254.169.254)
- Authentication errors followed by successful reads of unexpected file paths in connector logs
Detection Strategies
- Monitor Kafka Connect configuration changes for credential configurations containing credential_source.file or credential_source.url parameters
- Implement file integrity monitoring on systems running Kafka Connect to detect unusual file access patterns
- Deploy network monitoring to detect SSRF attempts targeting internal services or cloud metadata endpoints
- Review Kafka Connect audit logs for connector configuration modifications by unauthorized users
Monitoring Recommendations
- Enable verbose logging for Kafka Connect BigQuery Sink connector operations
- Configure alerting for outbound connections from Kafka Connect to internal IP ranges or cloud metadata services
- Implement access controls and audit logging for connector configuration changes
- Monitor for authentication library errors that may indicate exploitation attempts
How to Mitigate CVE-2026-23529
Immediate Actions Required
- Upgrade Aiven BigQuery Connector for Apache Kafka to version 2.11.0 or later immediately
- Audit existing connector configurations for suspicious credential_source.file or credential_source.url values
- Review access controls for who can create or modify Kafka Connect connector configurations
- Inspect logs for evidence of exploitation attempts prior to patching
Patch Information
Aiven has released version 2.11.0 of the BigQuery Connector for Apache Kafka which addresses this vulnerability. The fix introduces proper validation of credential configurations through new security utility libraries (io.aiven.commons:google-utils and io.aiven.commons:system) that sanitize credential source paths and URLs before processing.
Upgrade instructions and release notes are available in the GitHub Release v2.11.0. Additional details can be found in the GitHub Security Advisory GHSA-3mg8-2g53-5gj4.
Workarounds
- Restrict connector configuration privileges to trusted administrators only until the patch can be applied
- Implement network segmentation to limit outbound connectivity from Kafka Connect instances
- Deploy web application firewall (WAF) rules to block SSRF attempts targeting cloud metadata endpoints
- Use service mesh or network policies to restrict Kafka Connect's ability to access sensitive internal services
# Example: Upgrade BigQuery Connector using Maven
mvn dependency:purge-local-repository -DmanualInclude=com.wepay.kcbq:kcbq-connector
mvn dependency:resolve -DincludeArtifactIds=kcbq-connector -Dversion=2.11.0
# Verify installed version
mvn dependency:tree | grep kcbq-connector
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
