Tenable, a company specialising in cloud exposure management, has discovered a security vulnerability in Google Cloud Run, raising fresh concerns about the growing complexity and interconnectedness of cloud services. The flaw, which Tenable researchers have named ImageRunner, could have allowed attackers to escalate privileges, bypass access controls, and retrieve private container images, potentially leading to data exposure and other security threats.
Google Cloud Run is a serverless platform that allows users to deploy and manage containers without managing the underlying infrastructure. It uses a service agent with elevated permissions to pull container images from private repositories such as Google Container Registry or Artifact Registry. According to Tenable, this configuration posed a security risk when combined with user roles that had edit permissions on Cloud Run.
Tenable’s investigation found that an attacker with such permissions could exploit the inherited access rights of the Cloud Run service agent to pull private container images. These images could then be used to deploy malicious applications or to inspect and extract sensitive data embedded in them. The vulnerability demonstrated how interdependent configurations in cloud systems can amplify the consequences of what might appear to be isolated permission settings.
The Jenga concept and cascading risks
Tenable coined the term “Jenga Concept” to describe this layered risk structure in cloud services. The name refers to how modern cloud platforms are built with multiple services stacked upon one another. When one layer has overly permissive or insecure settings, it can unintentionally compromise others, causing widespread issues.
“In the game of Jenga, removing a single block can undermine the entire structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services function similarly. If one component has risky default settings, those risks can trickle down to dependent services, increasing the risk of security breaches.”
The ImageRunner vulnerability is a clear example of this concept in action, where the elevated privileges granted to a core service inadvertently opened up a path for attackers to exploit.
Google patches issue, no user action required
Google has since patched the vulnerability and stated that no further action is needed from users. While the immediate risk has been resolved, Tenable stressed the importance of learning from this case to prevent similar threats in the future.
If exploited, ImageRunner could have allowed attackers to inspect private container images, extract secrets or sensitive configuration data, modify deployment parameters to run unauthorised code, or even exfiltrate critical data for cyberespionage or other malicious purposes.
Tenable recommends that security teams adopt several best practices in light of this discovery. These include strictly following the principle of least privilege to minimise unnecessary permission inheritance, using tools such as Jenganizer to uncover hidden service dependencies, and routinely reviewing access logs to spot suspicious activity.
“The discovery of ImageRunner reinforces the need for proactive cloud security measures. As cloud environments grow more complex, security teams must anticipate and mitigate risks before attackers exploit them,” added Matan.
As organisations continue to move more services and infrastructure into the cloud, the ImageRunner case underlines the importance of understanding the invisible links between services and ensuring each component is secure—not just in isolation, but in how it interacts with the rest of the system.
