Tenable Uncovers LeakyLooker Vulnerability Chain in Google's Business Intelligence Platform
Security researchers at Tenable disclosed nine critical cross-tenant vulnerabilities in Google Looker Studio on March 10, 2026, collectively dubbed LeakyLooker. The vulnerability chain could have allowed attackers to execute arbitrary SQL queries against victims' databases and steal sensitive information from Google Cloud environments across organizational boundaries.
The research team discovered these flaws during a comprehensive security assessment of Google's business intelligence platform, which serves millions of users worldwide for data visualization and reporting. Looker Studio, formerly known as Google Data Studio, integrates deeply with Google Cloud services and connects to various database systems including BigQuery, Cloud SQL, and external data sources.
The vulnerabilities exploited weaknesses in Looker Studio's tenant isolation mechanisms, which are designed to prevent one organization's data from being accessed by another. According to Tenable's findings, the flaws could be chained together to bypass these security controls and gain unauthorized access to databases belonging to other Google Cloud customers.
The attack vector involved manipulating Looker Studio's data source configuration and query processing mechanisms. Researchers demonstrated how an attacker could craft malicious data source connections that would execute SQL commands against databases they shouldn't have access to. The cross-tenant nature of these vulnerabilities made them particularly dangerous, as they could potentially affect any organization using Looker Studio with cloud-based data sources.
Related: CISA Adds Hikvision, Rockwell Flaws to KEV Catalog
Related: China's CNCERT Warns of OpenClaw AI Agent Security Flaws
Related: HPE Patches Five Critical AOS-CX Flaws: RCE, Privilege
Related: Veeam Patches Four Critical RCE Flaws in Backup Software
Related: Google Patches Two Chrome Zero-Days Under Active Attack
Google's security team worked closely with Tenable researchers following responsible disclosure protocols. The vulnerabilities were reported through Google's Vulnerability Reward Program, and patches were developed and deployed across Google's infrastructure. The company confirmed that all nine vulnerabilities have been addressed and that no customer data was compromised during the research or remediation process.
Google Cloud Customers Using Looker Studio Face Cross-Tenant Exposure Risk
The LeakyLooker vulnerabilities affected all Google Looker Studio users who connected the platform to cloud-based databases, particularly those using Google Cloud services like BigQuery and Cloud SQL. Organizations across all industries that relied on Looker Studio for business intelligence and data visualization were potentially at risk, including enterprises, government agencies, healthcare providers, and financial institutions.
The cross-tenant nature of these vulnerabilities meant that any organization sharing Google's multi-tenant cloud infrastructure could have been targeted. This included both small businesses using basic Looker Studio features and large enterprises with complex data architectures spanning multiple Google Cloud projects and regions. The risk was particularly elevated for organizations that granted broad database permissions to their Looker Studio service accounts.
Google Cloud customers using on-premises databases or third-party cloud providers connected through Looker Studio were also within the scope of potential impact. The vulnerabilities could have been exploited to access any database system that Looker Studio had been granted connection privileges to, regardless of where the database was hosted. This broad attack surface made the vulnerability chain particularly concerning for organizations with hybrid or multi-cloud architectures.
Google Deploys Comprehensive Patches Across Looker Studio Infrastructure
Google has implemented comprehensive security patches across its Looker Studio infrastructure to address all nine LeakyLooker vulnerabilities. The fixes involved strengthening tenant isolation controls, implementing additional input validation for data source configurations, and enhancing query execution sandboxing mechanisms. These changes were deployed automatically across Google's global infrastructure without requiring any action from customers.
Organizations using Looker Studio should review their data source configurations and access permissions as a precautionary measure. Google recommends following the principle of least privilege when granting database access to Looker Studio service accounts. Administrators should audit existing data source connections and ensure that service accounts have only the minimum permissions necessary for their intended functions.
For enhanced security monitoring, organizations should enable Google Cloud audit logging for their Looker Studio instances and review logs for any suspicious query patterns or unauthorized data access attempts. CISA's Known Exploited Vulnerabilities catalog provides additional guidance on monitoring for signs of exploitation in cloud environments. Google has also published updated security best practices for Looker Studio deployments in their official documentation.
The company has confirmed that all patches are now active and that the vulnerabilities can no longer be exploited. Google's security team continues to monitor for any potential exploitation attempts and has implemented additional detection mechanisms to identify similar vulnerability patterns in the future. Organizations concerned about potential exposure can contact Google Cloud Support for additional security assessments of their Looker Studio deployments.
