CVE-2026-8934
Awaiting Analysis Awaiting Analysis - Queue

Missing Authorization in Google App Engine GraphQL API

Vulnerability report for CVE-2026-8934, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GoogleCloud

Description

A Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine section of the Cloud Console allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects using a specially crafted request. This vulnerability was patched on 7 April 2026, and no customer action is needed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
google app_engine to 2026-04-07 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Authorization issue in a GraphQL private API operation within the Google App Engine section of the Cloud Console. It allows an unauthenticated remote attacker to access and leak sensitive App Engine request logs from other projects by sending a specially crafted request.

Impact Analysis

The impact of this vulnerability is that an attacker without authentication can obtain sensitive request logs from other projects. This could lead to exposure of confidential information contained in those logs, potentially compromising the security and privacy of affected projects.

Mitigation Strategies

This vulnerability was patched on 7 April 2026, and no customer action is needed.

Compliance Impact

The vulnerability allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects. Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive information.

However, the vulnerability was patched on 7 April 2026, and no customer action is needed, indicating that the risk has been mitigated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart