Bazel leaks user credentials through the remote assets API
Description
A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bazel's remote assets API sends all user-provided credentials to the remote downloader, leaking credentials for unrelated domains.
Vulnerability
The vulnerability resides in the GrpcRemoteDownloader component of Bazel when the --experimental_remote_downloader flag is used. In Bazel versions prior to 4.2.3 (4.x) and 5.3.2 (5.x), the remote assets API receives all user-provided credentials as qualifiers, not just the credentials necessary for the requested URLs. This causes unnecessary and unintended credential exposure to the remote server. [1]
Exploitation
An attacker who controls the remote downloader server can observe the credentials sent in the request qualifiers. No additional user interaction is required beyond using the experimental remote downloader with Bazel. The attacker can passively collect credentials for any domain that Bazel has been configured to access, potentially capturing authentication tokens for various services. [1]
Impact
Successful exploitation leads to credential disclosure. An attacker gains access to credentials intended for other domains, which could be used to compromise third-party services or internal resources that Bazel is authorized to access. This violates the principle of least privilege and can result in unauthorized data access or system compromise. [1]
Mitigation
Upgrade to Bazel version 4.2.3 or later for the 4.x branch, version 5.3.2 or later for the 5.x branch, or any version in the 6.x+ line. As a workaround, users should only use a trusted remote downloader server and avoid providing unrelated credentials to Bazel. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Google LLC/Bazelv5Range: 5.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The GrpcRemoteDownloader sends all user-provided credentials as qualifiers to the remote assets API instead of only the credentials required for the specific download URLs."
Attack vector
An attacker who controls or can observe the remote downloader server receives credentials for domains unrelated to the download request. Bazel sends every credential it knows about as a qualifier in the remote assets API call, so the remote server learns credentials for domains the user never intended to share [ref_id=1]. The attacker does not need to compromise the target download server; any network position that can intercept or host the remote downloader endpoint is sufficient. The only precondition is that the victim uses `--experimental_remote_downloader` and has configured credentials for multiple domains.
Affected code
The vulnerability is in the `GrpcRemoteDownloader` component, which handles the remote assets API when Bazel is run with `--experimental_remote_downloader`. The advisory identifies that the credential-handling logic sends all user-provided credentials as qualifiers to the remote service, rather than only the credentials required for the specific URLs being downloaded [ref_id=1].
What the fix does
The advisory recommends upgrading to Bazel 4.2.3 (4.x), 5.3.2 (5.x), or any 6.x+ version [ref_id=1]. No patch diff is provided in the bundle, but the fix ensures that only the credentials required for the specific URLs being delegated to the remote downloader are sent, rather than all known credentials. Users who cannot upgrade should use only a trusted remote downloader server and avoid giving Bazel unrelated credentials as a workaround [ref_id=1].
Preconditions
- configBazel must be run with the --experimental_remote_downloader flag enabled
- configThe user must have configured credentials for multiple domains (e.g., via .netrc or similar)
- networkThe remote downloader server is either attacker-controlled or observable by the attacker
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.