CVE-2026-1727 | THREATINT

Description

The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in "bucket squatting" by establishing these buckets before a victim's initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this.

PUBLISHED Reserved 2026-01-31 | Published 2026-02-06 | Updated 2026-02-06 | Assigner GoogleCloud

CRITICAL: 9.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/U:Clear

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version before 12/12/2025

affected

Credits

Omer Amiad reporter

References

docs.cloud.google.com/gemini/enterprise/docs/release-notes

cve.org (CVE-2026-1727)

nvd.nist.gov (CVE-2026-1727)

Download JSON