VDB

GCVE-110-CLOUD-2020-0004

GCVE-110-CLOUD-2020-0004
Advisory Published
Vulnetix · Advisory published November 22, 2020
Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine default service account by default and relied on product-level IAM permissions without requiring the iam.serviceAccount.actAs permission, meaning that users of these services could elevate their privileges. Following disclosure, GCP changed these services to require this permission.

Affected Products

VendorProductVersionsPlatforms
GCPDataflow
GCPCompute Engine
GCPComposer, Dataflow, Dataproc, Dataprep, Data Fusion
GCPCloud Services

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›