A cybersecurity researcher recently received $148,337 from Google for identifying significant vulnerabilities in the Google Cloud Application Integration service. These vulnerabilities escalated to remote code execution (RCE) within Google’s production environment.
Critical Vulnerability Details
Identified as CVE-2026-2031, the vulnerability is a serious access control issue in the Google Cloud Application Integration, achieving a maximum CVSS score of 10.0. Arvin Shivram, the researcher who discovered the flaw, detailed his findings in a blog post titled “StubZero: $148,337 RCE in Google Cloud Production” on BruteCat.
Shivram’s exploration began with an automated tool that detected anomalies in the API cloudcrmipfrontend-pa.googleapis.com, which returned suspicious debugging responses. This led to further investigation of an endpoint that disclosed internal message schemas, vital for understanding Google’s API structure.
Exploitation Process and Discovery
The research revealed an API surface that exposed internal workflow data through a specific endpoint. By leveraging this information and a leaked client ID, Shivram created draft workflows, exploring various internal tasks documented within Google’s system. The pivotal discovery involved the GenericStubbyTypedTaskV2 task, which allowed for arbitrary RPC calls using privileged service identities.
Through these actions, Shivram demonstrated how Stubby-level access could lead to RCE in Google’s production environment, a scenario that Google classifies under their Cloud Vulnerability Reward Program as granting significant internal access.
Google’s Response and Mitigation
Initially, Google mitigated the vulnerability by restricting endpoint access and enhancing security protocols. However, Shivram, collaborating with another researcher, identified that these mitigations were not fully implemented across all backend instances. By targeting vulnerable instances, they maintained the exploit path temporarily.
Additionally, a second vulnerability chain involving insecure direct object references (IDOR) was discovered, allowing access to sensitive workflow definitions across different tenants.
Significant Reward and Conclusion
For his findings, Google awarded Shivram a total of $148,337, reflecting the critical impact of his discoveries. This included $60,000 for the initial chain, $75,000 for the subsequent IDOR-related findings, and $13,337 for a single-service privilege escalation issue.
The research underscores the importance of continuous monitoring and security assessment within cloud environments. It also highlights the role of responsible disclosure and reward programs in enhancing cybersecurity defenses.
For more updates, follow us on Google News, LinkedIn, and X.
.webp?ssl=1 "Magecart Hackers Exploit 100 Domains to Steal Card Data")
