CVE-2026-3136 HIGH

CVE-2026-3136: Google Cloud Build Comment Control Bypass

Vendor Google Cloud

Product Cloud Build

Weakness CWE-863 · Incorrect authorization

Published March 3, 2026

Last update March 4, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Clear

What the vulnerability does

01Description

An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action is needed.

Key dates

02Disclosure timeline

March 3, 2026 CVE published

March 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3136 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-3136: Google Cloud Build Comment Control Bypass

01Description

02Disclosure timeline

03References

04Related CVE