Description
An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment.

This vulnerability was patched on 26 January 2026, and no customer action is needed.
Published: 2026-03-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: No action required
AI Analysis

Impact

The vulnerability is an improper authorization flaw in the GitHub Trigger Comment Control feature of Google Cloud Build, classified as CWE‑863. A remote attacker who can send a specially crafted trigger comment can execute arbitrary code within the build environment, potentially compromising build artifacts and downstream services. It is inferred that the attacker must be able to create or modify such trigger comments to exploit the flaw.

Affected Systems

All Google Cloud Build deployments that used builds prior to the 26 January 2026 release are impacted. Users with GitHub trigger comments enabled before this date are potentially exposed until the patch is applied.

Risk and Exploitability

The CVSS score of 8.6 underscores the high severity, but the EPSS score of less than 1% and absence from the CISA KEV catalog indicate a low likelihood of exploitation. Attackers would need to exploit the GitHub trigger interface remotely. It is inferred that attackers need the ability to create or modify trigger comments. As the fix was released on 26 January 2026 and no exploitation has been reported, the risk for current customers is mitigated when using a patched configuration.

Generated by OpenCVE AI on April 18, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure your Google Cloud Build is running a release of 26 January 2026 or later, which includes the fix.
  • Restrict the use of GitHub trigger comments to users with elevated IAM permissions or CI/CD roles, limiting exposure to trusted contributors.
  • Set up alerting on build logs to detect anomalous or unauthorized trigger comments and review activity for signs of compromise.

Generated by OpenCVE AI on April 18, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google cloud Build
CPEs cpe:2.3:a:google:cloud_build:*:*:*:*:*:*:*:*
Vendors & Products Google
Google cloud Build
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Google Cloud
Google Cloud cloud Build
Vendors & Products Google Cloud
Google Cloud cloud Build

Tue, 03 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action is needed.
Title Google Cloud Build Comment Control Bypass
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Clear'}

Subscriptions

Google Cloud Build
Google Cloud Cloud Build
cve-icon MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published:

Updated: 2026-03-04T04:55:36.155Z

Reserved: 2026-02-24T17:29:16.705Z

Link: CVE-2026-3136

cve-icon Vulnrichment

Updated: 2026-03-03T16:38:14.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T17:16:19.160

Modified: 2026-03-05T21:44:42.407

Link: CVE-2026-3136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses