Google Cloud Platform (GCP) Eventarc PE to Service Agent with Pipelines – Research Advisory

Tenable Research has identified and responsibly disclosed a critical privilege escalation vulnerability in GCP Eventarc. This flaw allowed an attacker with restricted Eventarc permissions to exfiltrate access tokens for any service account in a project, including the highly privileged Eventarc Service Agent.

An attacker with only Eventarc access (roles/eventarc.messageBusUser, roles/eventarc.developer) can create a pipeline in Eventarc that authenticates using arbitrary service accounts in the project, even without iam.serviceAccounts.actAs permissions. Additionally, the user can manipulate the Eventarc service agent to authenticate with its own access token. The attacker can therefore create an Eventarc Pipeline that will authenticate to a public Cloud Run in the attacker’s control, exfiltrating the access tokens.

The Eventarc service agent has the following notable permissions, which allow the attacker to use a single exfiltration to escalate privileges to any service account:

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

Since service agents use predictable naming schemes, the attacker does not even need permissions to list all service accounts to exploit this vulnerability.

Proof of Concept:

Setup:

1. Create a public Cloud Run in the attacker’s project that logs the Authorization header
2. Give the attacker the Eventarc roles mentioned above in the victim’s project
3. Create an Eventarc Message Bus in the victim’s project

Attack:

1. Go to https://console.cloud.google.com/eventarc/pipelines/create
2. Choose a name and region for the pipeline
3. Under ‘Enrollments’, add an enrollment for the Eventarc Advanced bus, with the expression ‘true’, then press ‘Continue’
4. Press ‘Continue’ again
5. Under ‘Destination type’, choose ‘Cloud Run service (via HTTP)’, and choose the Cloud Run from the attacker’s project
6. Check ‘Enable authentication’, and choose ‘OAuth token’ for ‘Auth header’
7. Under ‘Service account’, click ‘Enter manually’, and enter a unique name (it doesn’t need to exist)
8. In your intercepting proxy, enable a ‘Match and Replace’ rule from @.iam.gserviceaccount.com to service-@gcp-sa-eventarc.iam.gserviceaccount.com
9. Click ‘Create’ (the creation may take a few minutes)
10. Once the pipeline is created, send a message to the Event Bus:

gcloud eventarc message-buses publish –location= –json-message=”{“specversion”: “1.0”, “type”: “test.event”, “source”: “manual.test”, “id”: “abc-123”, “data”: {“hello”: “world”}}”

11. Wait a little while for the pipeline to trigger, and you will find the authorization header in the logs of the Cloud Run in the attacker’s project

December 7, 2025 – Tenable reports the finding to Google, and Google acknowledges

December 16, 2025 – Google accepts the bug and assigns an S1 severity

January 4, 2026 – Tenable requests an update

January 7, 2026 – Google updates that product teams are still working on a mitigation

January 22, 2026 – Google awards a bounty

January 25, 2026 – Tenable acknowledges

February 10, 2026 – Tenable requests an update

February 12, 2026 – Google marks the issue as fixed

February 15, 2026 – Tenable requests details regarding the fix

March 2, 2026 – Tenable requests details for the fix again and shares the disclosure date

March 4, 2026 – Google gives details regarding the fix