Skip to main content

Google BigQuery CVE-2026-3259

| EUVDEUVD-2026-25203 HIGH
Error Message Information Leak (CWE-209)
2026-04-23 GoogleCloud GHSA-g3wg-j2ff-prcp
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch released
Apr 24, 2026 - 14:50 nvd
Patch available
Patch available
Apr 23, 2026 - 11:01 EUVD
Analysis Generated
Apr 23, 2026 - 10:31 vuln.today
CVSS changed
Apr 23, 2026 - 10:22 NVD
7.1 (HIGH)
EUVD ID Assigned
Apr 23, 2026 - 10:00 euvd
EUVD-2026-25203
Analysis Generated
Apr 23, 2026 - 10:00 vuln.today
CVE Published
Apr 23, 2026 - 08:35 nvd
HIGH 7.1

DescriptionCVE.org

A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.

This vulnerability was patched on 29 January 2026, and no customer action is needed.

AnalysisAI

Information disclosure in Google BigQuery materialized view refresh allows authenticated users to extract sensitive data via crafted views that generate error messages containing confidential information. Google Cloud Platform patched this server-side vulnerability on 29 January 2026 with automatic remediation requiring no customer action. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network-accessible attack vector and low attack complexity, though no public exploit or CISA KEV listing exists at time of analysis.

Technical ContextAI

This vulnerability affects the Materialized View Refresh mechanism in Google BigQuery, Google's serverless data warehouse service on Google Cloud Platform. The issue stems from CWE-209 (Generation of Error Message Containing Sensitive Information), where the system's error handling during materialized view refresh operations exposes sensitive data through verbose error messages. Materialized views in BigQuery precompute query results for performance optimization, and the refresh process periodically updates these cached results. When the refresh mechanism encounters runtime errors during execution of a specially crafted materialized view definition, it generates error messages that leak information beyond what the authenticated user should access. The CPE identifier cpe:2.3:a:google_cloud:bigquery indicates this affects the BigQuery service itself rather than client libraries or SDKs.

RemediationAI

Google Cloud Platform automatically deployed a server-side patch on 29 January 2026 that resolves this vulnerability across all BigQuery instances without requiring customer action, as stated in the official advisory at https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026. No manual patching, configuration changes, or service restarts are necessary. Organizations should verify their BigQuery activity logs for any suspicious materialized view creation or refresh errors during the exposure window prior to 29 January 2026, particularly focusing on views created by users with atypically broad data access. As compensating detective control, implement BigQuery audit logging to monitor materialized view DDL operations and refresh failures, alerting on patterns of repeated error-triggering view definitions that may indicate exploitation attempts. Review IAM permissions to ensure principle of least privilege for bigquery.tables.create and bigquery.tables.update permissions that enable materialized view manipulation.

Share

CVE-2026-3259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy