CVE-2026-3136
Published: 03 March 2026
Summary
CVE-2026-3136 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Google Cloud Build. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to directly prevent improper authorization vulnerabilities like CVE-2026-3136 that allow unauthenticated remote code execution in Cloud Build.
Requires timely identification, reporting, and correction of flaws such as this improper authorization vulnerability through patching, as demonstrated by Google's fix on January 26, 2026.
Limits privileges in the build environment to minimize the impact of arbitrary code execution even if authorization is bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing cloud application (T1190) for arbitrary code execution in build pipelines, directly facilitating software supply chain compromise (T1195.002).
NVD Description
An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action…
more
is needed.
Deeper analysisAI
CVE-2026-3136 is an improper authorization vulnerability (CWE-863) in the GitHub Trigger Comment Control feature of Google Cloud Build versions prior to the patch released on January 26, 2026. This flaw enables a remote attacker to execute arbitrary code within the build environment, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) due to its critical impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated remote attacker over the network with low complexity and no user interaction required. Successful exploitation grants the attacker the ability to run arbitrary code in the Cloud Build environment, potentially leading to full compromise of build pipelines, data exfiltration, or further lateral movement within the cloud infrastructure.
Google patched the issue on January 26, 2026, and states that no customer action is required. Additional details are available in the Cloud Build release notes at https://docs.cloud.google.com/build/docs/release-notes#March_03_2026.
Details
- CWE(s)