Zero-Click Cross-Tenant SQL Injection in GCP Looker Studio

Critical Vulnerability Information Vulnerability Overview Vulnerability Type: Zero-Click Cross-Tenant SQL Injection Affected Product: GCP Looker Studio Risk Level: Critical Risk Factor: Critical Vulnerability Details Root Cause: Improper sanitization of user-controlled input in batched DataV2 HTTP requests, leading to dynamically generated column aliases being directly injected into BigQuery or potentially Spanner queries. Exploitation Process 1. Access the victim’s report. 2. Proxy the request and capture the batched DataV2 request. 3. Inject SQL into JSON values and send the request. 4. Refresh the victim’s report. 5. The SQL executes on the victim’s data. Remediation Google has fixed this issue. Disclosure Timeline June 3, 2025: Tenable reported the finding to Google. June 5, 2025: Google classified severity as S1. June 6, 2025: Tenable added additional details. June 26, 2025: Google awarded a bounty. July 2, 2025: Tenable requested an update on remediation status. July 15, 2025: Tenable requested an update. July 15, 2025: Google stated that due to a high volume of submissions and requests, a delay was necessary. July 23, 2025: Tenable requested regular updates and a two-week extension interval. July 31, 2025: Google and Tenable agreed to maintain the original disclosure date. July 31, 2025: Google confirmed all bugs had been fixed. August 11, 2025: Google confirmed the fix and validation by the team. August 14, 2025: Tenable requested details on the implementation of the fix. August 25, 2025: Google provided details on the fix. August 28, 2025: Tenable shared the TRA draft for Google’s review. August 28, 2025: Due to holidays, Tenable postponed the publication date to September 3.

Goal Reached Thanks to every supporter — we hit 100%!

Zero-Click Cross-Tenant SQL Injection in GCP Looker Studio