Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Lifecycle Timeline
8DescriptionCVE.org
A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.
This vulnerability was patched on 29 January 2026, and no customer action is needed.
AnalysisAI
Information disclosure in Google BigQuery materialized view refresh allows authenticated users to extract sensitive data via crafted views that generate error messages containing confidential information. Google Cloud Platform patched this server-side vulnerability on 29 January 2026 with automatic remediation requiring no customer action. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network-accessible attack vector and low attack complexity, though no public exploit or CISA KEV listing exists at time of analysis.
Technical ContextAI
This vulnerability affects the Materialized View Refresh mechanism in Google BigQuery, Google's serverless data warehouse service on Google Cloud Platform. The issue stems from CWE-209 (Generation of Error Message Containing Sensitive Information), where the system's error handling during materialized view refresh operations exposes sensitive data through verbose error messages. Materialized views in BigQuery precompute query results for performance optimization, and the refresh process periodically updates these cached results. When the refresh mechanism encounters runtime errors during execution of a specially crafted materialized view definition, it generates error messages that leak information beyond what the authenticated user should access. The CPE identifier cpe:2.3:a:google_cloud:bigquery indicates this affects the BigQuery service itself rather than client libraries or SDKs.
RemediationAI
Google Cloud Platform automatically deployed a server-side patch on 29 January 2026 that resolves this vulnerability across all BigQuery instances without requiring customer action, as stated in the official advisory at https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026. No manual patching, configuration changes, or service restarts are necessary. Organizations should verify their BigQuery activity logs for any suspicious materialized view creation or refresh errors during the exposure window prior to 29 January 2026, particularly focusing on views created by users with atypically broad data access. As compensating detective control, implement BigQuery audit logging to monitor materialized view DDL operations and refresh failures, alerting on patterns of repeated error-triggering view definitions that may indicate exploitation attempts. Review IAM permissions to ensure principle of least privilege for bigquery.tables.create and bigquery.tables.update permissions that enable materialized view manipulation.
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25203
GHSA-g3wg-j2ff-prcp