Sensitive Information Exposure in Agentspace Service by Google
CVE-2026-1727

9.1CRITICAL

Key Information:

Vendor: Google Cloud
Status: Gemini Enterprise (formerly Agentspace)
Vendor: CVE Published:; 6 February 2026

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2026-1727?

The Agentspace service has a security flaw that allowed sensitive information to become vulnerable due to the reliance on predictable naming conventions for Google Cloud Storage (GCS) buckets. These names were used for logging errors and temporarily staging data imports from GCS and Cloud SQL. The predictability of the bucket names enabled attackers to exploit this weakness through 'bucket squatting', creating their own buckets prior to the legitimate user's utilization. Updates implemented after December 12, 2025, have addressed this vulnerability, requiring no action from users.

Affected Version(s)

Gemini Enterprise (formerly Agentspace) 0 < 12/12/2025

References

https://docs.cloud.google.com/gemini/enterprise/docs/rele...

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Jan 31, 2026

Credit

Omer Amiad

CVE-2026-1727 Data

JSON