A critical, unpatched vulnerability in Google Cloud Config Connector — a Kubernetes add-on used to manage GCP resources — allows an attacker to take full control of cloud accounts and the GCP resources they govern. Google has acknowledged the finding but has not issued a patch as of June 18, 2026; no CVE identifier has been assigned. Mitigation depends entirely on compensating controls and service account privilege reduction until a vendor fix is available.