{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3136", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-02-24T17:29:16.705Z", "datePublished": "2026-03-03T16:22:54.502Z", "dateUpdated": "2026-03-04T04:55:36.155Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cloud Build", "vendor": "Google Cloud", "versions": [{"lessThan": "1/26/2026", "status": "affected", "version": "0", "versionType": "date"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "inspector-ambitious"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper authorization<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;vulnerability in </span>GitHub Trigger Comment Control<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in </span>Google&nbsp;Cloud Build<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>prior to 2026-1-26<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;allows </span>a remote attacker<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;to </span>execute arbitrary code in the build environment.<br><br><span style=\"background-color: rgb(255, 255, 255);\">This vulnerability was </span><span style=\"background-color: rgb(237, 192, 45);\">patched</span><span style=\"background-color: rgb(255, 255, 255);\"> on 26 January 2026, and no customer action is needed.</span><br>"}], "value": "An improper authorization\u00a0vulnerability in GitHub Trigger Comment Control\u00a0in Google\u00a0Cloud Build\u00a0prior to 2026-1-26\u00a0allows a remote attacker\u00a0to execute arbitrary code in the build environment.\n\nThis vulnerability was patched on 26 January 2026, and no customer action is needed."}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization (Permission Bypass)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-03-03T16:22:54.502Z"}, "references": [{"url": "https://docs.cloud.google.com/build/docs/release-notes#March_03_2026"}], "source": {"discovery": "EXTERNAL"}, "title": "Google Cloud Build Comment Control Bypass", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-3136"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T04:55:36.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3136", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T16:38:02.406014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T16:38:14.528Z"}}], "cna": {"title": "Google Cloud Build Comment Control Bypass", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "inspector-ambitious"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Google Cloud", "product": "Cloud Build", "versions": [{"status": "affected", "version": "0", "lessThan": "1/26/2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.cloud.google.com/build/docs/release-notes#March_03_2026"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An improper authorization\u00a0vulnerability in GitHub Trigger Comment Control\u00a0in Google\u00a0Cloud Build\u00a0prior to 2026-1-26\u00a0allows a remote attacker\u00a0to execute arbitrary code in the build environment.\n\nThis vulnerability was patched on 26 January 2026, and no customer action is needed.", "supportingMedia": [{"type": "text/html", "value": "An improper authorization<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;vulnerability in </span>GitHub Trigger Comment Control<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in </span>Google&nbsp;Cloud Build<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>prior to 2026-1-26<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;allows </span>a remote attacker<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;to </span>execute arbitrary code in the build environment.<br><br><span style=\"background-color: rgb(255, 255, 255);\">This vulnerability was </span><span style=\"background-color: rgb(237, 192, 45);\">patched</span><span style=\"background-color: rgb(255, 255, 255);\"> on 26 January 2026, and no customer action is needed.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization (Permission Bypass)"}]}], "providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-03-03T16:22:54.502Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3136", "state": "PUBLISHED", "dateUpdated": "2026-03-04T04:55:36.155Z", "dateReserved": "2026-02-24T17:29:16.705Z", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "datePublished": "2026-03-03T16:22:54.502Z", "assignerShortName": "GoogleCloud"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:cloud_build:*:*:*:*:*:*:*:*", "matchCriteriaId": "79BCC7BB-7D52-40A1-A604-969908D01860", "versionEndExcluding": "2026-1-26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authorization\u00a0vulnerability in GitHub Trigger Comment Control\u00a0in Google\u00a0Cloud Build\u00a0prior to 2026-1-26\u00a0allows a remote attacker\u00a0to execute arbitrary code in the build environment.\n\nThis vulnerability was patched on 26 January 2026, and no customer action is needed."}], "id": "CVE-2026-3136", "lastModified": "2026-03-05T21:44:42.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}, "published": "2026-03-03T17:16:19.160", "references": [{"source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "tags": ["Release Notes"], "url": "https://docs.cloud.google.com/build/docs/release-notes#March_03_2026"}], "sourceIdentifier": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1/26/2026)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cloud Build", "source": "cna", "vendor": "Google Cloud"}, "product": "cloud_build", "vendor": "google_cloud"}], "analysis": {"en": {"generated_at": "2026-04-18T17:30:30.701103+00:00", "value": {"mitigation_remediation": ["Ensure your Google Cloud Build is running a release of 26 January 2026 or later, which includes the fix.", "Restrict the use of GitHub trigger comments to users with elevated IAM permissions or CI/CD roles, limiting exposure to trusted contributors.", "Set up alerting on build logs to detect anomalous or unauthorized trigger comments and review activity for signs of compromise."], "summary": {"action": "No action required", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Google Cloud Build deployments that used builds prior to the 26 January 2026 release are impacted. Users with GitHub trigger comments enabled before this date are potentially exposed until the patch is applied.", "description_and_impact": "The vulnerability is an improper authorization flaw in the GitHub Trigger Comment Control feature of Google Cloud Build, classified as CWE\u2011863. A remote attacker who can send a specially crafted trigger comment can execute arbitrary code within the build environment, potentially compromising build artifacts and downstream services. It is inferred that the attacker must be able to create or modify such trigger comments to exploit the flaw.", "risk_and_exploitability": "The CVSS score of 8.6 underscores the high severity, but the EPSS score of less than 1% and absence from the CISA KEV catalog indicate a low likelihood of exploitation. Attackers would need to exploit the GitHub trigger interface remotely. It is inferred that attackers need the ability to create or modify trigger comments. As the fix was released on 26 January 2026 and no exploitation has been reported, the risk for current customers is mitigated when using a patched configuration."}}}}, "created": "2026-03-04T14:54:13.334446+00:00", "updated": "2026-04-18T17:45:06.043271+00:00", "vendors": ["google_cloud", "google_cloud$PRODUCT$cloud_build"]}