CVE-2026-3259 HIGH

CVE-2026-3259: Sensitive Data Disclosure in BigQuery via Materialized View Error Messages

Vendor Google Cloud
Product BigQuery
Weakness CWE-209 · Error message info leak
Published April 23, 2026
Last update April 30, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Clear

What the vulnerability does

01Description

A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process. This vulnerability was patched on 29 January 2026, and no customer action is needed.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 30, 2026 Record updated