Google has patched a series of critical vulnerabilities in its Looker business intelligence platform that could have allowed an attacker to exfiltrate a sensitive internal database. According to a security advisory, the flaw, discovered by researchers at Tenable, affected self-hosted and on-premises deployments of the software, potentially exposing user metadata and permissions.
In a disclosure published on , researchers detailed a method to gain unauthorized access to an internal MySQL database used by Looker. The database, named “looker__ilooker,” is intended for internal management of the platform’s metadata, user accounts, and access permissions and should not be accessible to users.
The researchers found they could bypass user interface restrictions that normally prevent users from selecting this internal database when creating a new project. Once a connection to the restricted database was established, they leveraged the platform’s “data tests” feature. By crafting specific error injections, they could cause the system to return small pieces of data from the `looker__ilooker` database within the error messages, a technique that could be repeated to extract the entire database over time.
The successful exfiltration of the `looker__ilooker` database would grant an attacker a complete overview of the Looker instance’s configuration. This includes user information, permission sets, and metadata about other database connections, which could be leveraged for further attacks within a corporate network. Google has addressed the flaws in multiple versions of the software.
The following versions have been patched:
- 25.12.30 and later
- 25.10.54 and later
- 25.6.79 and later
- 25.0.89 and later
- 24.18.209 and later
Google stated that versions 25.13 and newer are not affected by this vulnerability. The company also confirmed that its fully-managed Looker Studio product and Google Cloud-hosted deployments of Looker were not affected, as the patches were applied automatically.
The vulnerability stemmed from a combination of two weaknesses. The primary issue was an authorization bypass that allowed a user to create a project linked to the restricted internal database connection. The secondary issue was an information disclosure flaw within the error handling of the “data tests” feature, which leaked database contents when it failed, rather than returning a generic error message.
At this time, neither Google nor Tenable has reported any evidence of these vulnerabilities being actively exploited in the wild. The specific CVE identifiers assigned to track these individual flaws have not been detailed in the public announcements.
While Google has secured its own cloud-hosted Looker environments, the responsibility to apply the security updates falls on customers who manage their own instances. Organizations running self-hosted or on-premises versions of Looker must manually update their software to one of the patched versions to mitigate the risk of data exfiltration.
Administrators of self-hosted Looker instances should take the following steps:
- Immediately identify which version of Looker is running in their environment.
- If the version is identified as vulnerable, prioritize updating to the latest stable release or one of the specified patched versions.
- Review system and database access logs for any unusual or unauthorized connections, particularly those targeting the `looker__ilooker` database.
- Ensure that network access controls limit direct access to the Looker instance and its underlying database from untrusted sources.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
