CVE-2026-3136
Improper Authorization in Google Cloud Build Enables Remote Code Execution
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloud_build | to 2026-1-26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3136 is an improper authorization vulnerability in the GitHub Trigger Comment Control feature of Google Cloud Build prior to January 26, 2026.
This vulnerability allows a remote attacker to execute arbitrary code within the build environment.
The issue was patched on January 26, 2026, and no customer action is needed.
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary code in your build environment, potentially leading to unauthorized actions, data compromise, or disruption of your build processes.
Because the attacker can run arbitrary code, they might gain control over the build environment, which could be used to inject malicious code, access sensitive information, or affect the integrity of your software builds.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability CVE-2026-3136 in Google Cloud Build was patched as of January 26, 2026.
No customer action is needed since the fix has already been applied in the service.