Google Cloud RCE Flaw Earns Researcher $148,337 in Bug Bounty Payout
Security researcher Arvin Shivram uncovered a critical remote code execution (RCE) vulnerability in Google Cloud’s Application Integration service, earning a total of $148,337 through Google’s Vulnerability Reward Program (VRP). The flaw, tracked as CVE-2026-2031, carried a CVSS score of 10.0 and stemmed from an access control issue that allowed attackers to execute arbitrary code in Google’s production environment.
The exploit chain began when an automated fuzzing tool flagged an internal API (cloudcrmipfrontend-pa.googleapis.com) exposing debugging endpoints. Further investigation revealed an endpoint (v1/integrationPlatform/getProtoDefinition) that leaked protobuf descriptors for internal services, including YouTube and Google’s CRM stack. This provided attackers with near-complete visibility into Google’s internal API schemas, simplifying further exploitation.
A second endpoint (listQuotaQueue) leaked an internal workflow execution queue and a default clientId, enabling the creation of malicious draft workflows. The researcher then exploited GenericStubbyTypedTaskV2, a task type in Google’s Stubby RPC framework, to trigger arbitrary RPC calls with the integration platform’s privileged service identity. While workflow publishing required two-person approval, the researcher bypassed this by manipulating an internal ACL endpoint (integrationPlatform/auth/setAcl) to add attacker-controlled accounts as both requester and approver.
In collaboration with another researcher ("shrugged"), Shivram later discovered that Google’s initial fixes were only partially deployed, allowing the RCE chain to persist on unpatched backend instances. Three months later, a second RCE chain was identified, involving insecure direct object references (IDOR) and the "test cases" feature, which enabled cross-tenant access to workflow definitions, including those used by internal Google teams.
Google addressed the vulnerabilities by restricting internal endpoint access, patching IDOR weaknesses, and strengthening RPC security controls. The payouts included $60,000 for the first RCE chain, $75,000 for the second, and an additional $13,337 for a lingering privilege escalation issue. The incident highlights the risks of exposed internal APIs and misconfigured access controls in cloud environments.
Source: https://cybersecuritynews.com/google-cloud-production-rce-vulnerability/
YouTube cybersecurity rating report: https://www.rankiteo.com/company/youtube
Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud
"id": "YOUGOO1782210666",
"linkid": "youtube, google-cloud",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology, Cloud Computing',
'location': 'Global',
'name': 'Google Cloud',
'size': 'Large enterprise',
'type': 'Cloud service provider'}],
'attack_vector': 'Exposed internal API endpoints, misconfigured access '
'controls, insecure direct object references (IDOR)',
'data_breach': {'file_types_exposed': 'Protobuf descriptors, workflow '
'definitions',
'sensitivity_of_data': 'High (internal Google services, '
'including YouTube and CRM)',
'type_of_data_compromised': 'Protobuf descriptors, internal '
'API schemas, workflow execution '
'queues, workflow definitions'},
'description': 'Security researcher Arvin Shivram uncovered a critical remote '
'code execution (RCE) vulnerability in Google Cloud’s '
'Application Integration service, tracked as CVE-2026-2031, '
'with a CVSS score of 10.0. The flaw stemmed from an access '
'control issue allowing attackers to execute arbitrary code in '
'Google’s production environment. The exploit chain involved '
'exposed debugging endpoints, leaked protobuf descriptors, and '
'manipulation of internal workflows and ACLs. A second RCE '
'chain was later discovered involving insecure direct object '
'references (IDOR) and cross-tenant access to workflow '
'definitions.',
'impact': {'brand_reputation_impact': 'Potential reputational risk due to '
'critical RCE vulnerability in cloud '
'service',
'data_compromised': 'Protobuf descriptors for internal services '
'(YouTube, Google CRM), internal workflow '
'execution queues, workflow definitions',
'financial_loss': '$148,337 (bug bounty payout)',
'operational_impact': 'Potential for arbitrary code execution in '
'Google’s production environment, '
'cross-tenant access to workflows',
'systems_affected': 'Google Cloud Application Integration service, '
'internal Google services (YouTube, CRM '
'stack), Stubby RPC framework'},
'initial_access_broker': {'entry_point': 'Exposed internal API '
'(`cloudcrmipfrontend-pa.googleapis.com`)',
'high_value_targets': 'Internal Google services '
'(YouTube, CRM), workflow '
'execution queues'},
'investigation_status': 'Resolved',
'lessons_learned': 'Risks of exposed internal APIs, misconfigured access '
'controls, and insecure direct object references in cloud '
'environments. Importance of thorough patch deployment and '
'validation.',
'motivation': 'Bug bounty reward, security research',
'post_incident_analysis': {'corrective_actions': 'Restricted internal '
'endpoint access, patched '
'IDOR weaknesses, '
'strengthened RPC security '
'controls, validated patch '
'deployment',
'root_causes': 'Exposed internal API endpoints, '
'access control misconfigurations, '
'insecure direct object references '
'(IDOR), partial patch deployment'},
'recommendations': 'Restrict access to internal APIs, enforce strict access '
'controls, validate patch deployment, monitor for exposed '
'debugging endpoints, and secure workflow approval '
'processes.',
'references': [{'source': 'Google Vulnerability Reward Program (VRP)'}],
'response': {'containment_measures': 'Restricted access to internal '
'endpoints, patched IDOR weaknesses, '
'strengthened RPC security controls',
'remediation_measures': 'Deployed fixes for access control '
'misconfigurations, removed exposed '
'debugging endpoints, secured workflow '
'approval processes'},
'threat_actor': 'Arvin Shivram (security researcher), collaborated with '
"'shrugged'",
'title': 'Google Cloud RCE Flaw Exploited via Internal API Misconfigurations',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-2031 (CVSS 10.0), access control '
'misconfigurations, IDOR, protobuf descriptor '
'leakage'}