Google Cloud Platform (GCP) BigQuery Cross Tenant Data Sources Exfiltration through Canvas Assistant – Research Advisory

The vulnerability stems from a flaw in how Gemini in BigQuery handles tool execution and session persistence within shared Canvas environments. The attack begins with the creation of a malicious Gemini Agent configured with hidden system instructions that utilize the data extraction and joiner tool. By embedding directives that command the LLM to ignore user input and instead prioritize queries against a specific target path, such as victims-project.dataset.table, the attacker creates a trap. When this malicious agent is attached to a shared Canvas and sent to a victim, the UI obfuscates the underlying system instructions, making the assistant appear benign and connected only to the attacker’s disclosed data sources.

The core of the exfiltration relies on a synchronization inconsistency between the client-side UI and the backend server. When a victim interacts with the assistant, even with a neutral greeting, the LLM executes the hidden instructions, pulling private data from the victim’s BigQuery environment into the active Canvas session. While the victim may attempt to exit without saving to prevent data exposure, the attacker can simultaneously attempt to save the report from their own session. Although the UI generates a “saving failed” error message to the attacker, the victim’s private data is covertly persisted to the server’s version of the Canvas. This allows the attacker to bypass the failed save notification and retrieve the sensitive data by simply refreshing the report or querying the underlying server state, effectively turning the Canvas saving mechanism into a stealthy exfiltration channel.

Attacker:
1. Create a canvas in Big Query, make it appealing
2. Insert the malicious instructions such as the ones in this report in the Canvas assistant and choose a random data source you own (to avoid the LLM erroring out when nothing is attached)
3. Save the Canvas
4. Send any message to the assistant so he’ll get the context (Optional – proved to work better this way while testing)
5. Share the canvas with the cross tenant victim
6. Wait for the victim to interact with the malicious assistant (you can query for changes server-side)
7. Save the canvas again, and refresh the page
8. The victim’s requested data is in the shared canvas

Victim:

1. Send any message to the malicious assistant

December 16, 2025 – Tenable reports the finding to Google

December 23, 2025 – Google classifies it as S1

January 12, 2026 – Tenable requests updates

January 14, 2026 – Google says it is still working on the issue

January 27, 2026 – Tenable requests updates and Google awards a bounty

February 5, 2026 – Google updates that the product team plans to release fix by March 6

February 23, 2026 – Tenable requests updates

February 24, 2026 – Google updates they are working on the fix

February 26, 2026 – Google says the fix rollout is still planned for March 6

March 9, 2026 – Tenable requests updates

March 10, 2026 – Google says the report is in the VRP queue and that the team is validating the fix

March 15, 2026 – Tenable shares they intend to publish the TRA and asks for a final fix confirmation

March 18, 2026 – Google shares that they added a warning to end users