CVE-2026-3259

HIGH

Sensitive Data Disclosure in BigQuery via Materialized View Error Messages

Title source: cna

Description

A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process. This vulnerability was patched on 29 January 2026, and no customer action is needed.

References (1)

Core 1

Core References

https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026

Scores

CVSS v4 7.1

EPSS 0.0023

EPSS Percentile 13.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (1)

Google Cloud/BigQuery < 01/29/2026

Published Apr 23, 2026

Tracked Since Apr 23, 2026