HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Google Cloud API Keys Remain Active for Up to 23 Minutes After Deletion, Exposing a Critical Access Window

A researcher discovered that Google Cloud API keys stay functional for roughly 23 minutes after deletion, contradicting Google's claim of immediate revocation. This latency creates a brief but exploitable window for unauthorized access, impacting any organization that uses Google APIs.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 darkreading.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
darkreading.com

Google Cloud API Keys Remain Active for Up to 23 Minutes After Deletion, Exposing a Critical Access Window

What Happened — A security researcher found that Google Cloud API keys continue to function for an average of 23 minutes after a user deletes them via the console or API, despite Google’s claim that deletions are immediate. The delay creates a short‑lived window where the keys can still be used to access Google services.

Why It Matters for TPRM

  • Third‑party applications that rely on Google APIs may retain active credentials after a revocation request, risking unauthorized data access.
  • The latency can be exploited by threat actors who obtain a key shortly before deletion, allowing them to exfiltrate data or perform malicious actions.
  • Vendors and customers must reassess key‑rotation and revocation processes to ensure no residual access remains.

Who Is Affected — Cloud‑service users across all sectors (tech, finance, healthcare, retail, etc.) that integrate Google Cloud APIs, especially those managing high‑privilege service accounts.

Recommended Actions

  • Verify that any decommissioned API keys are fully revoked before re‑using or discarding them.
  • Implement automated monitoring to detect API calls from keys flagged for deletion.
  • Adjust key‑rotation policies to account for a 30‑minute grace period after deletion.
  • Engage Google support to confirm the expected revocation timeline and request any available hard‑delete options.

Technical Notes — The issue stems from an internal propagation delay within Google’s credential management system; no CVE has been assigned. Affected keys can still invoke any API scopes they were originally granted, including Cloud Storage, BigQuery, and IAM‑related endpoints. Source: Dark Reading

📰 Original Source
https://www.darkreading.com/identity-access-management-security/google-api-keys-active-after-deletion

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →