RESEARCHERS identified two five-alarm security issues in Google Looker that could enable attackers to access sensitive secrets and, in cloud deployments, move laterally across tenants. The team demonstrated a cross-tenant remote code execution (RCE) chain that starts with a path traversal and leverages Looker’s Git integration to run arbitrary code on the Looker server, potentially giving attackers access to other organisations’ cloud environments and data on Google Cloud Platform.
One vulnerability involving its internal database could let an attacker dump secret data by triggering error messages through repeated SQL injections, with the issue tracked as CVE-2025-12743 and a CVSS score of 6.0. On 4 February 2026, Tenable described the RCE chain and the separate SQL injection flaw, and Google subsequently fixed both issues, with on-premises deployments requiring manual updates to versions listed in the security bulletin GCP-2025-052.
According to Tenable, Looker’s architecture, including its Git hooks and shared infrastructure in multi-tenant deployments, creates a high-risk attack surface. Organizations should apply the patch and follow least-privilege practices to isolate Looker instances.