Google disputes GCP Kubernetes flaw, no fix after 3 months

A security researcher has accused Google of dismissing a critical vulnerability in its Google Cloud Platform (GCP) Kubernetes integration, leaving organizations exposed to potential privilege escalation attacks. The flaw, dubbed ConfigConfusion, reportedly allows attackers to bypass GCP Identity and Access Management (IAM) controls and gain full administrative access to cloud environments. Google maintains the issue does not qualify as a vulnerability and has not issued a fix or assigned a CVE identifier after nearly three months of internal review.

The dispute centers on Config Connector, an open-source Kubernetes add-on that enables management of Google Cloud resources through Kubernetes manifests. According to researcher Justin O'Leary, the tool lacks proper authorization checks, allowing any Kubernetes namespace user to escalate privileges to the highest organizational level without IAM validation.

What was reported

O'Leary submitted the vulnerability to Google on March 8, 2026. The company initially acknowledged the issue, with a Google security engineer telling O'Leary "Nice catch!" and assigning it P1 priority and S1 severity ratings. The bug report remains marked as "in progress (accepted)" in Google's system, though the company later informed O'Leary that no reward would be issued because the behavior was deemed intentional.

In a demonstration video, O'Leary showed how an attacker could gain full administrative control of a GCP organization by submitting three lines of YAML through kubectl, with the entire process taking approximately five seconds. The exploit works by submitting a malicious IAMPolicyMember resource, which Config Connector processes without verifying the requesting user's permissions. The tool then uses its own elevated credentials to execute the request, leaving no audit trail of the original user's involvement.

Google's response

Google told The Register that the reported issue does not qualify as a vulnerability because exploitation requires access to a Config Connector service account with Organization Admin role permissions. A company spokesperson stated: "The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that's been granted the Organization Admin role by the organization (i.e., it is privileged)."

The company further argued that such access violates Google Cloud's principle of least privilege and publicly shared best practices. However, O'Leary countered that Google's own documentation instructs users to configure Config Connector with these exact permissions, creating a contradiction between recommended practices and the company's security assessment.

"A developer with kubectl access to one namespace – and zero GCP IAM permissions – should not be able to become Organization Owner. They also shouldn't be able to impersonate any service account in the project with no audit trail." — Justin O'Leary, security researcher

Industry implications

This case reflects broader tensions between security researchers and cloud providers regarding vulnerability disclosure practices. O'Leary previously reported a similar issue to Microsoft involving Azure Backup for AKS, which the company initially rejected before silently patching without issuing a CVE or security advisory. Such patterns raise concerns about transparency in cloud security, particularly for widely used managed services.

For organizations using Config Connector, the dispute creates uncertainty about potential exposure. While Google maintains the configuration is working as intended, the researcher's demonstration suggests that standard Kubernetes access could enable complete cloud environment compromise under certain configurations. The lack of audit trails for such privilege escalation attempts further complicates detection and response efforts.