{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3259", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-02-26T14:21:42.934Z", "datePublished": "2026-04-23T08:35:04.149Z", "dateUpdated": "2026-04-30T15:21:26.856Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-04-23T08:35:04.149Z"}, "title": "Sensitive Data Disclosure in BigQuery via Materialized View Error Messages", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-209", "description": "CWE-209 Generation of error message containing sensitive information", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "affected": [{"vendor": "Google Cloud", "product": "BigQuery", "versions": [{"status": "affected", "version": "0", "lessThan": "01/29/2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.<br><br><div><div>This vulnerability was patched on 29 January 2026, and no customer action is needed.</div></div>"}]}], "references": [{"url": "https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "CLEAR", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear"}}], "credits": [{"lang": "en", "value": "Gonzalo L\u00f3pez Zuloaga", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:31:23.426729Z", "id": "CVE-2026-3259", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T15:21:26.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T12:31:23.426729Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:34:14.415Z"}}], "cna": {"title": "Sensitive Data Disclosure in BigQuery via Materialized View Error Messages", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Gonzalo L\u00f3pez Zuloaga"}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Google Cloud", "product": "BigQuery", "versions": [{"status": "affected", "version": "0", "lessThan": "01/29/2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed.", "supportingMedia": [{"type": "text/html", "value": "A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.<br><br><div><div>This vulnerability was patched on 29 January 2026, and no customer action is needed.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of error message containing sensitive information"}]}], "providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-04-23T08:35:04.149Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3259", "state": "PUBLISHED", "dateUpdated": "2026-04-30T15:21:26.856Z", "dateReserved": "2026-02-26T14:21:42.934Z", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "datePublished": "2026-04-23T08:35:04.149Z", "assignerShortName": "GoogleCloud"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.\n\nThis vulnerability was patched on 29 January 2026, and no customer action is needed."}], "id": "CVE-2026-3259", "lastModified": "2026-04-24T14:50:56.203", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}, "published": "2026-04-23T10:16:16.610", "references": [{"source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "url": "https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026"}], "sourceIdentifier": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,01/29/2026)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "bigquery", "vendor": "google_cloud"}], "analysis": {"en": {"generated_at": "2026-04-29T01:43:06.512750+00:00", "value": {"mitigation_remediation": ["Inventory all materialized view definitions and modify or drop any that could provoke sensitive error messages.", "Limit permission to refresh materialized views to the minimum set of users required for business operations.", "Configure CloudAudit logs to flag error messages containing potentially sensitive data and restrict log access to authorized personnel."], "summary": {"action": "No action required", "impact": "Sensitive data disclosure via error messages in BigQuery materialized view refresh"}, "threat_synthesis": {"affected_systems": "The affected product is Google Cloud BigQuery. The vulnerability was addressed in an update released on 29 January 2026. Users running a version of BigQuery that predates this update\u2014i.e., any instance that is still on a date before 29 January 2026\u2014may be susceptible. No specific sub\u2011versions were enumerated, so all pre\u201129 January releases should be examined.", "description_and_impact": "This vulnerability involves an unintentional exposure of confidential data when a materialized view refresh in Google BigQuery generates an error message that contains sensitive information. An attacker who is able to create and run a crafted materialized view can trigger a runtime error and receive an error report that leaks data from the underlying query. The flaw is classified as a high severity information disclosure problem and is mapped to the Common Weakness Enumeration CWE\u2011209, which covers data exposure through error messages. Because the error can contain tenant\u2011specific data, any authenticated request that causes the error is capable of revealing secrets within the project\u2019s data set.", "risk_and_exploitability": "The CVSS score of 7.1 places the issue in the high severity band, whereas the EPSS score indicates that exploitation is unlikely (less than 1% probability). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw requires authenticated access to generate the malicious view, it is effectively an insider or compromised\u2011credential scenario rather than a public threat. An attacker would need to have the privilege to create or modify materialized views and trigger a refresh, after which the leaking error message would be returned to the attacker. Provided current logging and monitoring, the risk of accidental disclosure can be mitigated even if the vulnerability were present."}}}}, "created": "2026-04-28T09:26:15.399860+00:00", "updated": "2026-04-29T01:45:26.034195+00:00", "vendors": ["google_cloud", "google_cloud$PRODUCT$bigquery"]}