Skip to main content

Cloud Console CVE-2026-8934

| EUVDEUVD-2026-38262 MEDIUM
Missing Authorization (CWE-862)
2026-06-22 GoogleCloud GHSA-5xr4-qrm5-m2w8
6.9
CVSS 4.0 · Vendor: GoogleCloud
Share

Severity by source

Vendor (GoogleCloud) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
vuln.today AI
5.8 MEDIUM

Scope changed (S:C) because the attacker reads log data from other GCP projects outside the exploited component's authorization boundary; PR:N confirmed by CVSS 4.0 input.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GoogleCloud).

CVSS VectorVendor: GoogleCloud

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 17:01 EUVD
Analysis Generated
Jun 22, 2026 - 16:08 vuln.today

DescriptionCVE.org

A Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine section of the Cloud Console allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects using a specially crafted request.

This vulnerability was patched on 7 April 2026, and no customer action is needed.

AnalysisAI

Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target GCP project identifier
Delivery
Craft GraphQL request targeting App Engine log operation
Exploit
Submit unauthenticated request to Cloud Console private API
Execution
Authorization check absent - request fulfilled by server
Impact
Receive App Engine request logs from victim project

Vulnerability AssessmentAI

Exploitation The only prerequisite is network access to the Cloud Console GraphQL private API endpoint over the internet, plus knowledge of a target GCP project's identifier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) reflects a network-reachable, zero-friction unauthenticated attack with low confidentiality impact on the vulnerable system and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies the Cloud Console's GraphQL private API endpoint used by the App Engine section of the UI, then crafts a GraphQL query referencing a target GCP project identifier other than their own. Because the authorization check was absent, the API returns App Engine request logs for the targeted project without validating the caller's entitlement - exposing potentially sensitive HTTP request metadata, paths, or application-level log payloads from the victim project. …
Remediation No customer action is required. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy