CVE-2026-1727

CRITICAL

Google Cloud Gemini Enterprise < 12/12/2025 - Exposure of Sensitive Information via Predictable GCS Bucket Names

Title source: llm

Description

The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in "bucket squatting" by establishing these buckets before a victim's initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this.

References (1)

Core 1

Core References

Various Sources

https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#February_06_2026

Scores

CVSS v4 9.1

EPSS 0.0025

EPSS Percentile 16.3%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/U:Clear

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

Google Cloud/Gemini Enterprise (formerly Agentspace) < 12/12/2025

Published Feb 06, 2026

Tracked Since Feb 18, 2026