CVE-2026-3136
Published: 03 March 2026
Description
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Security Summary
CVE-2026-3136 is an improper authorization vulnerability (CWE-863) in the GitHub Trigger Comment Control feature of Google Cloud Build versions prior to the patch released on January 26, 2026. This flaw enables a remote attacker to execute arbitrary code within the build environment, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) due to its critical impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated remote attacker over the network with low complexity and no user interaction required. Successful exploitation grants the attacker the ability to run arbitrary code in the Cloud Build environment, potentially leading to full compromise of build pipelines, data exfiltration, or further lateral movement within the cloud infrastructure.
Google patched the issue on January 26, 2026, and states that no customer action is required. Additional details are available in the Cloud Build release notes at https://docs.cloud.google.com/build/docs/release-notes#March_03_2026.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables exploitation of a public-facing cloud application (T1190) for arbitrary code execution in build pipelines, directly facilitating software supply chain compromise (T1195.002).