PatchSiren

Google Cloud CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Google Cloud CVE published 2026-06-24

CVE-2026-12537

CVE-2026-12537 is a critical vulnerability with a CVSS score of 10, affecting Google Gemini CLI versions prior to 0.39.1 and run-gemini-cli GitHub Action versions prior to 0.1.22. The vulnerability is caused by improper neutralization used in an OS command in the container launcher, allowing an unprivileged attacker to achieve pre-sandbox host-level code execution via a maliciously crafted .gemini/.env fi [truncated]

CRITICAL Google Cloud CVE published 2026-06-11

CVE-2026-4764

CVE-2026-4764 is a Critical Missing Authorization vulnerability in Dialogflow CX on Google Cloud Platform. An authenticated user with specific roles can exploit this vulnerability to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import. The vulnerability was patched on March 15, 2026, and no customer action is required.

CRITICAL Google Cloud CVE published 2026-05-26

CVE-2026-2264

A critical vulnerability in Google Cloud Apigee's SetIntegrationRequest policy enables Server-Side Request Forgery (SSRF) with service account token exfiltration. The flaw requires an administrator to first configure an API proxy insecurely, creating an attack path for remote adversaries to leverage the misconfigured policy for unauthorized internal requests and credential theft. The CVSS 4.0 vector indic [truncated]

CRITICAL Google Cloud CVE published 2026-05-15

CVE-2026-2031

CVE-2026-2031 is a critical improper access control vulnerability described as affecting several internal API endpoints in Google Cloud Application Integration prior to 2026-01-23. The CVE description states that a remote, unauthenticated attacker could use specially crafted HTTP requests against inadvertently exposed internal API endpoints to disclose sensitive internal information and execute arbitrary [truncated]

HIGH Google Cloud CVE published 2026-02-20

CVE-2026-2472

CVE-2026-2472 is a Stored Cross-Site Scripting (XSS) vulnerability in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0. This vulnerability allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model [truncated]