This vulnerability involves an unintentional exposure of confidential data when a materialized view refresh in Google BigQuery generates an error message that contains sensitive information. An attacker who is able to create and run a crafted materialized view can trigger a runtime error and receive an error report that leaks data from the underlying query. The flaw is classified as a high severity information disclosure problem and is mapped to the Common Weakness Enumeration CWE‑209, which covers data exposure through error messages. Because the error can contain tenant‑specific data, any authenticated request that causes the error is capable of revealing secrets within the project’s data set.

The affected product is Google Cloud BigQuery. The vulnerability was addressed in an update released on 29 January 2026. Users running a version of BigQuery that predates this update—i.e., any instance that is still on a date before 29 January 2026—may be susceptible. No specific sub‑versions were enumerated, so all pre‑29 January releases should be examined.

The CVSS score of 7.1 places the issue in the high severity band, whereas the EPSS score indicates that exploitation is unlikely (less than 1% probability). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw requires authenticated access to generate the malicious view, it is effectively an insider or compromised‑credential scenario rather than a public threat. An attacker would need to have the privilege to create or modify materialized views and trigger a refresh, after which the leaking error message would be returned to the attacker. Provided current logging and monitoring, the risk of accidental disclosure can be mitigated even if the vulnerability were present.