CVE-2026-1727 CRITICAL

CVE-2026-1727: Information Disclosure via Bucket Squatting in Google Cloud Agentspace.

Vendor Google Cloud
Product Gemini Enterprise (formerly Agentspace)
Weakness CWE-200 · Info exposure
Published February 6, 2026
Last update February 9, 2026
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/U:Clear

What the vulnerability does

01Description

The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in "bucket squatting" by establishing these buckets before a victim's initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-58049 CVE-2026-45300 async-http-client: Cookie header not stripped on cross-origin redirect CVE-2025-4523 IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via admin_donor_profile_view Function CVE-2025-13006 SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure CVE-2024-8072 Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users