StubZero: $148,337 RCE in Google Cloud Production
A recent vulnerability in Google Cloud's production environment allowed for remote code execution due to an API information leak. The issue was identified as CVE-2026-2031 and was discovered through automated fuzzing tools. This incident highlights significant security concerns regarding internal API endpoints and their potential exposure of sensitive information.
- ▪The vulnerability was initially detected in an API endpoint responding with status 200 to suspicious requests.
- ▪The endpoint allowed access to internal protobuf definitions, which could disclose sensitive request and response data.
- ▪The issue was exacerbated by the ability to manipulate query parameters to extract further information from the API.
Opening excerpt (first ~120 words) tap to expand
What started as a debugging endpoint info leak escalated into full remote code execution on Google Cloud's production environment. Three months later, it happened again. This vulnerability was assigned CVE-2026-2031. This story starts with one of my automated fuzzing tools alerting me about the API cloudcrmipfrontend-pa.googleapis.com, as it was responding with status 200 to some suspicious endpoints. On further inspection, the API seems to have several public debugging endpoints: Screenshot from an internal API explorer tool I built for testing internal Google APIs from a discovery document #req2proto as a Service™Some of the endpoints like GET /v1/integrationPlatform:listServicesByServer seemed to always return internal server error.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Brutecat.
Discussion
0 commentsMore from Brutecat
