CVE-2026-3259

HIGH

Sensitive Data Disclosure in BigQuery via Materialized View Error Messages

Title source: cna

Description

A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process. This vulnerability was patched on 29 January 2026, and no customer action is needed.

References (1)

https://docs.cloud.google.com/bigquery/docs/release-notes/#April_15_2026

Scores

CVSS v4 7.1

EPSS 0.0004

EPSS Percentile 12.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear

Details

CWE

CWE-209

Status published

Products (1)

Google Cloud/BigQuery < 01/29/2026

Published Apr 23, 2026

Tracked Since Apr 23, 2026