External risk intelligence

Google Cloud BigQuery Dataform Colab Enterprise Privilege Escalation

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-14934

The vulnerability exists in internal repository creation functionality within Google Cloud managed services. While these services are accessed over the network, the specific repository management features are typically used by authenticated internal users or automated systems within a cloud tenant, making direct public-internet-facing exposure uncommon.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Google Cloud services allowed an authenticated attacker to potentially take over other users' repositories, leading to unauthorized access and control. The issue affected services between October 2025 and May 10th, 2026, but has since been patched, and no customer action is required.

  • Attacker could take over other users' repositories.
  • Confirms Google patched the privilege escalation flaw.
  • The main concern is confirming relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker with standard access could potentially escalate their privileges and take over repositories belonging to other tenants by exploiting a flaw in how new repositories are created. This vulnerability is present in certain versions of Google Cloud BigQuery, Dataform, and Colab Enterprise.

  • Requires authenticated access.
  • Triggered during repository creation.
  • Leads to privilege escalation and cross-tenant takeover.

Live Threat

Current exploitation, exposure, and threat context

An authenticated attacker could exploit this vulnerability to escalate privileges and take over repositories across different tenants. This could occur when the repository creation functionality is used, potentially affecting system data and service behavior.

  • Tenant repositories could be compromised.
  • Privilege escalation may occur.
  • Cross-tenant repository takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

While the description indicates the vulnerability has been patched and no customer action is needed, in a real-world scenario, Platform and Security teams would typically be responsible for managing and patching Google Cloud services. The initial practical step would involve verifying the patch status of affected services and confirming the vulnerability does not exist in any unpatched or custom configurations.

  • Platform teams own remediation.
  • Verify patch status of services.
  • Confirm no customer action needed.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the software affected by CVE-2026-14934?

This CVE involves Google Cloud BigQuery, Dataform, and Colab Enterprise. These are managed cloud services used for data warehousing, managing data transformation pipelines, and collaborative notebook-based data science. The issue resided within their underlying repository creation functionality, which handles how users initialize and organize projects or code stores within the Google Cloud environment.

How does this CVE-2026-14934 privilege escalation work?

The vulnerability is categorized as CWE-862, or Missing Authorization. Essentially, the software failed to properly verify if a user had permission to perform repository creation actions. This oversight allowed a logged-in user to bypass normal access controls and manipulate repository structures they did not own, leading to unauthorized access across different cloud tenants.

What triggers the CVE-2026-14934 repository takeover?

An attacker must be an authenticated user of the platform to trigger this bug. The flaw specifically occurs during the repository creation process within the affected services. It is important to note that simply accessing or viewing existing, static repositories does not trigger this vulnerability; the malicious activity is tied to the specific action of creating or initializing a new repository.

Do I need to worry about CVE-2026-14934 on the public internet?

According to Halo Surface Signal, this vulnerability is considered unlikely to be exposed via the public internet. While these services are network-accessible, the repository management features are typically used by authenticated internal users or automated systems within a specific cloud tenant. The risk is generally scoped to interactions occurring within the Google Cloud managed infrastructure rather than direct public-facing endpoints.

What should I do now that CVE-2026-14934 is disclosed?

No customer action is required for this vulnerability. Google resolved the issue globally on May 10, 2026, by applying the necessary patches to the affected cloud services. Since the infrastructure is managed by the provider, the fix is already in effect for all users, ensuring that the privilege escalation path is no longer available.