CVE-2026-14934
Google Cloud · BigQuery, Dataform, Colab Enterprise
Google Cloud BigQuery, Dataform, and Colab Enterprise contained a missing authorization vulnerability that allowed authenticated attackers to perform cross-tenant repository takeovers.
Executive summary
A now-patched missing authorization vulnerability in Google Cloud services allowed authenticated users to escalate privileges and access unauthorized cross-tenant repositories.
Vulnerability
This vulnerability involved missing authorization (CWE-862) within the repository creation functionality. An authenticated user could exploit this flaw to perform unauthorized actions across different tenant environments, effectively bypassing standard cloud isolation boundaries.
Business impact
The impact of this vulnerability was severe (CVSS 9.4), as it allowed for cross-tenant data access and unauthorized repository takeover. This could have resulted in the exposure of highly sensitive proprietary data or source code, potentially affecting multiple organizations utilizing these Google Cloud services simultaneously.
Remediation
Immediate Action: No customer action is required as Google Cloud has already implemented the necessary patches on the backend.
Proactive Monitoring: Review audit logs for the period between October 2025 and May 10, 2026, for any anomalous repository creation or access events that may indicate prior exploitation.
Compensating Controls: While the vulnerability is patched, maintain standard IAM (Identity and Access Management) best practices, such as the Principle of Least Privilege, to limit the potential impact of any future authorization flaws.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This issue is resolved. Security teams should focus on reviewing historical audit logs if they suspect their environment was targeted during the affected timeframe. No further software remediation is required for this specific vulnerability.