VDB

GCVE-110-CLOUD-2024-0017

GCVE-110-CLOUD-2024-0017
Advisory Published
Vulnetix · Advisory published September 16, 2024
The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented. The Document AI service agent is auto-assigned with excessive permissions, allowing it to access all objects from Cloud Storage buckets in the same project. Malicious actors can exploit this to exfiltrate data from Cloud Storage by indirectly leveraging the service agent's permissions. This vulnerability is an instance of transitive access abuse, a class of security flaw where unauthorized access is gained indirectly through a trusted intermediary.

Affected Products

VendorProductVersionsPlatforms
GCPDocument AI, Cloud Storage
AzureStorage

References

advisory
advisory

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›