logo

Google told researcher 'Nice catch!' Then denied bug bounty for flaw it still hasn't fixed

ID: dc247833-c1b4-59d9-9dac-8c0719fdbcea

STIX ID: report--dc247833-c1b4-59d9-9dac-8c0719fdbcea

Feed Name: The Register (Security)

Threat Score
78/100

Date Published: 2026-06-18

Date Updated: 2026-06-18

...
...

### Executive summary A security researcher disclosed "ConfigConfusion," a missing-authorization vulnerability in Google's open-source Config Connector Kubernetes operator that allows an attacker with kubectl access to a namespace to submit a malicious IAMPolicyMember and be promoted to GCP Organization Owner using the operator's elevated service account; Google initially classified the bug as P1/S1 but later declined a bounty and has not issued a CVE or patch.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.