Skip to main content

Google BigQuery EUVDEUVD-2026-43338

| CVE-2026-14934 CRITICAL
Missing Authorization (CWE-862)
2026-07-13 GoogleCloud
9.4
CVSS 4.0 · Vendor: GoogleCloud
Share

Severity by source

Vendor (GoogleCloud) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
vuln.today AI
9.9 CRITICAL

Network API reachable with low-privilege auth and no interaction (AV:N/AC:L/PR:L/UI:N); cross-tenant impact crosses a security boundary so S:C with full C/I/A loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GoogleCloud).

CVSS VectorVendor: GoogleCloud

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 13, 2026 - 12:01 EUVD
Analysis Generated
Jul 13, 2026 - 11:16 vuln.today
CVE Published
Jul 13, 2026 - 10:20 cve.org
CRITICAL 9.4

DescriptionCVE.org

A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tenant repository takeover.

This vulnerability was patched on 10 May 2026, and no customer action is needed.

AnalysisAI

Cross-tenant privilege escalation in the repository creation functionality shared by Google Cloud BigQuery, Dataform, and Colab Enterprise allowed an authenticated GCP user to take over repositories belonging to other tenants. Rated CVSS 4.0 9.4 (critical) with a scope-changing cross-tenant impact, the flaw was a Missing Authorization (CWE-862) issue affecting the managed services between October 2025 and 10 May 2026. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege GCP user
Delivery
Call repository creation API
Exploit
Bypass missing tenant authorization check
Execution
Create/claim repository in victim tenant
Impact
Cross-tenant repository takeover

Vulnerability AssessmentAI

Exploitation The attacker must be an authenticated Google Cloud principal with at least low-level privileges (CVSS PR:L) able to reach the repository creation functionality of BigQuery, Dataform, or Colab Enterprise - no elevated admin rights, no user interaction, and no special client-side configuration are required, and the vector is network-reachable against the standard managed service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a genuinely high-severity control-plane flaw but with a narrow, vendor-controlled exposure window. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege but valid identity in any GCP tenant invokes the repository creation API for BigQuery, Dataform, or Colab Enterprise and, exploiting the missing authorization check, creates or claims a repository scoped to a victim tenant, achieving cross-tenant repository takeover and access to another customer's data-pipeline code. Because AC:L and PR:L with no user interaction, the operation is a straightforward authenticated API call rather than a complex chain; no public exploit code has been identified.
Remediation No customer action is required: Google remediated the vulnerability server-side across BigQuery, Dataform, and Colab Enterprise on 10 May 2026, so all customers are automatically protected as of that date (patch available per vendor advisory and applied by Google - see https://docs.cloud.google.com/support/bulletins#gcp-2026-047). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: verify that BigQuery, Dataform, and Colab Enterprise services are operating at the current version incorporating the 10 May 2026 server-side remediation and scan recent repository access logs for indicators of cross-tenant activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy