A recently disclosed vulnerability in Google Cloud Platform’s (GCP) Cloud Composer, dubbed “ConfusedComposer,” has raised concerns about privilege escalation risks in cloud service orchestration.
Discovered by Tenable Research, the flaw could have allowed attackers with the composer. environments.
Update permission to escalate their privileges by exploiting the default Cloud Build service account, which is endowed with broad permissions across GCP services, including Cloud Build, Cloud Storage, and Artifact Registry.
Cloud Composer, built on Apache Airflow, is GCP’s managed workflow orchestration tool for automating data pipelines.
It relies on Cloud Build—a continuous integration and delivery (CI/CD) service—to install custom Python packages (PyPI) in Composer environments.
The vulnerability stemmed from the way Composer triggered Cloud Build to install these packages: the process automatically provisioned a Cloud Build instance using the highly privileged default Cloud Build service account.
An attacker with the ability to update a Composer environment could inject a malicious PyPI package into the environment’s configuration.
When Cloud Build attempted to install this package, the Python package installer (pip) would execute any pre- or post-installation scripts embedded in the package.
This allowed the attacker to run arbitrary code within the Cloud Build environment, despite not having direct access to the Composer or Cloud Build service accounts.
Exploitation Path: From Malicious Packages to Full Project Control
The exploitation method was both straightforward and potent.
By leveraging pip’s automatic execution of installation scripts, an attacker could insert code that accessed the Cloud Build instance’s metadata API.
This enabled them to extract and exfiltrate the access token of the default Cloud Build service account.
With this token, the attacker could assume the identity of the privileged service account, gaining control over a wide range of GCP resources—potentially even full ownership of the project.
This attack was particularly insidious because it did not require direct access to the sensitive service accounts themselves.
The only prerequisite was the ability to update a Composer environment, a permission that might be more widely granted than full administrative rights.
By simply adding a malicious package, attackers could escalate their privileges far beyond their initial access level.
Google’s Response and the Broader “Jenga” Security Challenge
After being notified by Tenable, Google moved quickly to address the vulnerability.
As of December 2024, new Cloud Composer 2 environments (version 2.10.2 or later) use the Composer environment’s service account, rather than the default Cloud Build service account, for PyPI package installations.
By April 2025, this change was rolled out to all existing Composer 2 environments.
Cloud Composer 3 environments were not affected, as they already used the more secure configuration.
This incident highlights a broader class of cloud vulnerabilities, likened by researchers to a “Jenga” tower, where interconnected services can inherit and amplify security risks.
ConfusedComposer is a variant of a previous GCP vulnerability, ConfusedFunction, and underscores the dangers of hidden service interdependencies and default permissions in complex cloud environments.
Google has updated documentation and advised customers to review permissions and avoid unnecessary privilege grants.
According to Google, there is no evidence that the vulnerability was exploited in the wild.
The ConfusedComposer case serves as a critical reminder: in the cloud, the interplay between automated services and default configurations can create unexpected security gaps, making continuous vigilance and prompt remediation essential.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Discovered by Tenable Research, the flaw could have allowed attackers with the composer.){kind=link}