{"api_version":"1","generated_at":"2026-04-23T12:53:30+00:00","cve":"CVE-2026-3259","urls":{"html":"https://cve.report/CVE-2026-3259","api":"https://cve.report/api/cve/CVE-2026-3259.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3259","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3259"},"summary":{"title":"Sensitive Data Disclosure in BigQuery via Materialized View Error Messages","description":"A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed.","state":"PUBLISHED","assigner":"GoogleCloud","published_at":"2026-04-23 10:16:16","updated_at":"2026-04-23 10:16:16"},"problem_types":["CWE-209","CWE-209 CWE-209 Generation of error message containing sensitive information"],"metrics":[{"version":"4.0","source":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"CLEAR"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":7.1,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"CLEAR","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026","name":"https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026","refsource":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3259","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3259","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Google Cloud","product":"BigQuery","version":"affected 01/29/2026 date","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Gonzalo López Zuloaga","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"BigQuery","vendor":"Google Cloud","versions":[{"lessThan":"01/29/2026","status":"affected","version":"0","versionType":"date"}]}],"credits":[{"lang":"en","type":"reporter","value":"Gonzalo López Zuloaga"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.<br><br><div><div>This vulnerability was patched on 29 January 2026, and no customer action is needed.</div></div>"}],"value":"A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed."}],"impacts":[{"capecId":"CAPEC-54","descriptions":[{"lang":"en","value":"CAPEC-54 Query System for Information"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":7.1,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"CLEAR","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-209","description":"CWE-209 Generation of error message containing sensitive information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-23T08:35:04.149Z","orgId":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","shortName":"GoogleCloud"},"references":[{"url":"https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026"}],"source":{"discovery":"EXTERNAL"},"title":"Sensitive Data Disclosure in BigQuery via Materialized View Error Messages","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","assignerShortName":"GoogleCloud","cveId":"CVE-2026-3259","datePublished":"2026-04-23T08:35:04.149Z","dateReserved":"2026-02-26T14:21:42.934Z","dateUpdated":"2026-04-23T08:35:04.149Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-23 10:16:16","lastModifiedDate":"2026-04-23 10:16:16","problem_types":["CWE-209","CWE-209 CWE-209 Generation of error message containing sensitive information"],"metrics":{"cvssMetricV40":[{"source":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"CLEAR"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3259","Ordinal":"1","Title":"Sensitive Data Disclosure in BigQuery via Materialized View Erro","CVE":"CVE-2026-3259","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3259","Ordinal":"1","NoteData":"A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed.","Type":"Description","Title":"Sensitive Data Disclosure in BigQuery via Materialized View Erro"}]}}}