Cloud Console Uis
Monthly
Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.
Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.