Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise
Summary
| CVE | CVE-2026-14934 |
|---|---|
| State | PUBLISHED |
| Assigner | GoogleCloud |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-13 11:16:26 UTC |
| Updated | 2026-07-13 11:16:26 UTC |
| Description | A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tenant repository takeover. This vulnerability was patched on 10 May 2026, and no customer action is needed. |
Risk And Classification
Primary CVSS: v4.0 9.4 CRITICAL from f45cbf4e-4146-4068-b7e1-655ffc2c548c
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Problem Types: CWE-862 | CWE-862 CWE-862 Missing Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f45cbf4e-4146-4068-b7e1-655ffc2c548c | Secondary | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Google Cloud | BigQuery | affected 2025-10 2026-05-10 date | Not specified |
| CNA | Google Cloud | Dataform | affected 2025-10 2026-05-10 date | Not specified |
| CNA | Google Cloud | Colab Enterprise | affected 2025-10 2026-05-10 date | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| docs.cloud.google.com/support/bulletins | f45cbf4e-4146-4068-b7e1-655ffc2c548c | docs.cloud.google.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Omer Amiad (en)
There are currently no legacy QID mappings associated with this CVE.