CVE-2026-8934 PUBLISHED

Cross-Project Information Leakage in Google App Engine UI

Assigner: GoogleCloud
Reserved: 19.05.2026 Published: 22.06.2026 Updated: 22.06.2026

A Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine section of the Cloud Console allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects using a specially crafted request.

This vulnerability was patched on 7 April 2026, and no customer action is needed.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Google Cloud
Product	Cloud Console UIs
Versions	Default: unaffected affected from 0 to 2026-04-07 (excl.)

Credits

Michael Dalton reporter
Arvin Shivram reporter

References

https://docs.cloud.google.com/support/bulletins#gcp-2026-038

Problem Types

CWE-862 Missing Authorization CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs