On April 27, 2026 we released an updated version of the Apigee hybrid software, v1.14.4.
Sidecar authentication for Workload Identity Federation on non-GKE platforms
Starting in version v1.14.4, you can now use a sidecar along with Workload Identity Federation on non-GKE platforms to mount security tokens from your preferred identity provider (IDP) for service account authentication. See Use sidecar authentication for Workload Identity Federation on non-GKE platforms.
| Bug ID | Description |
|---|---|
| 471527485, 471173296, 471172082, 471171833 | Security fixes for apigee-synchronizer. This addresses the following vulnerabilities: |
| 471290390, 471199955, 471197958, 470990914 | Security fixes for apigee-runtime. This addresses the following vulnerabilities: |
| 470992132, 470991089, 470989623, 470989232, 470988977 | Security fixes for apigee-mart-server. This addresses the following vulnerabilities: |
| 470953507, 470953254, 470952893 | Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 451224723, 451224123 | Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities:
|
| N/A | Security fixes for apigee-asm-ingress. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-asm-istiod. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-connect-agent. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-envoy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-hybrid-cassandra-client. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-mint-task-scheduler. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-operators. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-prom-prometheus. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-redis. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-stackdriver-logging-agent. This addresses the following vulnerabilities:
|
| N/A | Security fixes for apigee-udca. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-watcher. This addresses the following vulnerability: |
Managed Cloud Service Mesh using the TRAFFIC_DIRECTOR implementation in the
regular channel now supports a limited implementation of the EnvoyFilter API.
To learn about the supported fields, extensions, and how to use EnvoyFilter
for features like local rate limiting see
Data plane extensibility with EnvoyFilter.
To troubleshoot any issue while configuring, see Resolving data plane extensibility issues.
Cloud Trace is a service covered by the Cloud Observability (Monitoring, Logging, Trace) Service Level Agreement (SLA).
The preconfigured base images
include a notification when the running_timeout for the workstation is
close to being reached.
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
The Database Center REST and RPC APIs are available in Preview. The Database Center API provides access to an organization-wide, cross-product database fleet health platform. You can use the API to aggregate health, security, and compliance signals from various Google Cloud databases.
For more information, see the Database Center API reference.
Database Center support for Model Context Protocol (MCP) is generally available (GA). You can use the Database Center remote MCP server to connect to Database Center from AI applications such as Gemini CLI, ChatGPT, or Claude. The MCP server provides access to Database Center tools that help you review fleet health, audit inventory, and check for security issues.
For more information, see Use the Database Center remote MCP server and the Database Center MCP tools reference.
Database Center fleet insights are available in Preview. Fleet insights highlight inventory and performance insights generated by Gemini. You can use these insights to identify and understand specific issues in your database fleet.
For more information, see View the performance of your database fleet and View your fleet inventory.
Database Center dashboard reporting is available in Preview. You can configure daily, weekly, and monthly reports that summarize your fleet inventory and health.
For more information, see Create reports for your dashboard views.
Database Center can monitor BigQuery resources. The resources table shows the following for a BigQuery database:
Datasets for a BigQuery database. For more information, see Introduction to datasets.
The number of reservations, which reserve resources, to process queries.
This feature is in Preview.
Database Center lets you monitor active queries across your fleet to identify and analyze query issues, such as slow queries. This feature supports AlloyDB for PostgreSQL and Cloud SQL database products.
For more information, see View the performance of your database fleet.
Monitoring the inventory, metrics, and alerts for Oracle Database@Google Cloud databases using Database Center is generally available (GA). For more information, see Supported health issues.
Cloud Composer is now called Managed Service for Apache Airflow. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) resources remain unchanged. For more information, see Managed Airflow overview.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) resources remain unchanged. For more information, see Knowledge Catalog overview.
Vertex AI is now called Gemini Enterprise Agent Platform. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) resources remain unchanged. For more information, see Agent Platform overview.
BigLake is now called Google Cloud Lakehouse. BigLake metastore is now called the Lakehouse runtime catalog. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) remain unchanged and still reference BigLake.
Mobile SDK for iOS version 2.15.2 patch
This patch updates the following for the mobile SDK for iOS:
You can use window functions with GoogleSQL in Bigtable to perform advanced analytic operations over multiple table rows. This feature is generally available (GA). For more information, see Window functions.
Google Distributed Cloud (software only) for VMware 1.32.1100-gke.84 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.32.1100-gke.84 runs on Kubernetes v1.32.13-gke.100.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.32.1100-gke.84:
Google Distributed Cloud (software only) for bare metal 1.32.1100-gke.84 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.32.1100-gke.84 runs on Kubernetes v1.32.13-gke.100.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following features were added in 1.32.1100-gke.84:
The following issues were fixed in 1.32.1100-gke.84:
Terminating state. Because
the Kubernetes Eviction API rejects operations in terminating namespaces, the
cluster controller entered an infinite retry loop. The fix updates the drain
process to skip eviction for pods in terminal phases, allowing the upgrade to
proceed normally.
etcd-events pod read the stale data directory when it started and attempted
to reuse the old member ID to rejoin the cluster instead of the new one.
Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures the /var/lib/etcd-events directory is
cleared upon failure, and adds retry logic to kubeadm-reset to improve
resiliency against transient API errors.
containerd
restarts. After the fix, tasks are locked and run sequentially to ensure each
task completes successfully before the next begins. Each lock is held for up
to 20 minutes or until the task reaches success or failure.
To bypass this safety mechanismrun and run tasks concurrently, add the
following annotation to your cluster: baremetal.cluster.gke.io/
concurrent-machine-update: "true".
kubeadm-reset during an upgrade or reset could crash and enter an infinite
retry loop, blocking the operation. This occurred because the tool failed to
read cluster configuration on newer Kubernetes versions.The following known issues affect Agent Registry:
SearchAgents or SearchMcpServers APIs for the global location, the results might incorrectly include resources from us and eu multi-regions.The Agent Registry remote Model Context Protocol (MCP) server is available in Preview. You can connect your AI applications to the Agent Registry MCP server to dynamically discover other agents, endpoints, and MCP servers available in your environment.
For more information, see Use the Agent Registry remote MCP server.
Agent Registry is available in Preview. Agent Registry is a centralized catalog for discovering and registering agents and Model Context Protocol (MCP) servers.
For more information, see the Agent Registry overview.
Database Migration Service quick-start migrations (in Preview) are now integrated into AlloyDB to provide a lightweight, continuous migration flow. This feature automates setup for sources with private IPs in a VPC network, including Cloud SQL for PostgreSQL and self-managed databases on Compute Engine.
For more information, see Quick-start migrations overview in the Database Migration Service documentation.
Application Design Center supports the following components in General Availability:
Application Design Center supports the following components in Preview:
If your application deployment fails, you can troubleshoot and fix errors (Preview). For more information, see Troubleshoot and fix deployment issues.
Create a composite template (Preview) using multiple application templates and components. For more information, see Design composite templates.
You can store templates and applications in the following regions:
For more information, see the following:
Use the following Google-provided application templates:
The Bigtable editions feature is generally available (GA). Bigtable editions introduces advanced features in performance, analytic query capability, and resource management. You can choose between the Enterprise and Enterprise Plus edition to select the right capabilities for your workloads. For more information, see Editions overview.
Bigtable provides an in-memory tier as part of its hybrid storage architecture. This tier provides sub-millisecond read latency and high throughput for time-sensitive data with independent vertical scaling to handle traffic surges. The in-memory tier is available only in the Enterprise Plus edition in Preview. For more information, see In-memory tier overview.
Bigtable tiered storage limit increases from 32 TB to 64 TB per node. This expansion provides higher storage density to support retention of larger volumes of infrequently accessed data and is available only in the Enterprise Plus edition. Tiered storage is available in Preview.
As part of Bigtable editions, you can use Data Boost to read data from tiered storage and HDD clusters. This feature is available only in the Enterprise Plus edition and is generally available (GA).
As part of Bigtable editions, you can use Data Boost to run GoogleSQL queries. This feature is available only in the Enterprise Plus edition and is generally available (GA). For more information, see High-throughput SQL analysis with Data Boost.
As part of Bigtable editions, you can configure which cluster in a replicated instance is used for automated backups. This feature provides greater cost control and backup resource management. This feature is available only in the Enterprise Plus edition and is generally available (GA). For more information, see Bigtable backups overview.
Managed Service for Apache Airflow supports Gemini Cloud Assist Investigations capabilities. The new troubleshooting agent can now troubleshoot failed Airflow task instances and DAG runs. The feature is available through Gemini Cloud Assist Investigations, which is currently accessible in Private Preview.
You can now use quick-start migrations for homogeneous PostgreSQL migrations to Cloud SQL for PostgreSQL and AlloyDB for PostgreSQL.
Quick-start migrations are a lightweight continuous migration flow where Database Migration Service can automatically set up everything you need to migrate sources that have a private IP assigned in a VPC network, such as self-managed databases on Compute Engine or Cloud SQL for PostgreSQL instances. This feature is in Preview.
Cost optimization with Gemini Cloud Assist provides the following additional features:
For more information, see Optimize costs with Gemini assistance.
App Topology is in Preview. App Topology lets you query data about your resources and applications from multiple sources, and then view the correlated data as a topology graph.
Policy profiles in authorization policies let you define the type of authorization being performed at the load balancer. This feature is available in Preview.
You can choose from the following profile types:
Request authorization profile (REQUEST_AUTHZ): Evaluates access based on
HTTP request headers. Authorization decisions can be made directly or
delegated to custom services. This is the default profile.
Content authorization profile (CONTENT_AUTHZ): Enables deep inspection of
application payloads (headers, body, and trailers). This is used for
content-based security, such as blocking prompt injection attacks and
preventing sensitive data leaks. Authorization decisions are always delegated.
Policy profiles are supported for the following Google Cloud services:
To learn more about policy profiles, see Authorization policy overview.
The Cloud Logging API MCP server is generally available (GA). To learn about using the Logging MCP server to let agents and AI applications interact with your log entries, see Use the Cloud Logging remote MCP server.
Application Monitoring in Google Cloud provides both agent observability and application observability. Your Application Monitoring dashboards display performance metrics, including the error rates and token usage of your AI resources. Those metrics can help you understand the health and performance of your AI resources.
To learn more, see the following:
Preview: Cloud Number Registry provides IP address management (IPAM) capabilities to let you view, manage, and plan your IP address usage in Google Cloud.
Database Migration Service quick-start migrations are now integrated into Cloud SQL for PostgreSQL to provide a lightweight, continuous migration flow. This feature automates setup for sources with private IPs in a VPC network, including Cloud SQL for PostgreSQL instances and self-managed databases on Compute Engine.
For more information, see Quick-start migrations overview in the Database Migration Service documentation. This feature is in Preview.
Generally available: The G4 accelerator-optimized machine series now supports the creation of virtual machine (VM) instances with less than one GPU attached (fractional GPUs). When you create VM instances with fractional GPUs, you can select 1/2, 1/4, or 1/8 of a G4 GPU. Fractional GPUs let you optimize costs for workloads that don't require the resources of a full GPU.
For more information, see the G4 machine series overview.
Dataflow job builder now supports external Iceberg REST Catalogs as a source. You can now ingest data from external Apache Iceberg REST catalogs (IRC) directly into BigLake tables using Dataflow's job builder UI without writing code. For more information, see Import data from external Iceberg catalogs to BigLake using Dataflow.
Eventarc support for creating triggers for direct events from Gemini Cloud Assist is available in Preview.
Various bug fixes and minor product enhancements.
MCP support is available in Private Preview. To request access, contact your Google Cloud account team. You can interact with Gemini Cloud Assist agents from various surfaces, including third-party client agents and IDEs, using the Model Context Protocol (MCP). For more information, see Integrating with MCP.
Proactive agents are available in Private Preview to Premium Support customers. Enable Gemini Cloud Assist to autonomously investigate issues triggered by Cloud Alerting policies or cost anomalies in the background. These investigations don't modify or make any changes to your environment. Results and insights, such as root cause analysis for alerts or cost spike drivers, are delivered via Eventarc. You can view these results in the Google Cloud console. This feature requires administrator enablement and configuration of an agent identity. For more information, see Configure proactive agents.
Page context awareness is available in Public Preview. Gemini Cloud Assist automatically uses the context of the content currently visible on your Google Cloud console page to provide more relevant and accurate responses to your prompts. For more information, see Manage page context sharing.
Enhanced agent administration controls are available in Public Preview. Administrators have the following options in the Cloud Assist settings panel:
This initial release includes (but is not limited to) the following releases or changes:
gemini-embedding-2) for General Availability.The table below lists all of the features that have been transitioned from Vertex AI and what their new names are in Agent Platform.
| Vertex AI name | Agent Platform name |
|---|---|
| Vertex AI Platform | Agent Platform |
| Generative AI on Vertex AI | Generative AI |
| Vertex AI Studio | Agent Studio |
| Vertex AI API | Agent Platform API |
| Vertex AI Model Garden | Model Garden |
| Vertex AI Models as a Service (MaaS) | MaaS |
| (Gemini/Veo) on Vertex AI | (Gemini/Veo) on Agent Platform |
| (Claude/Llama/DeepSeek/etc.) on Vertex AI | (Claude/Llama/DeepSeek/etc.), available on Agent Platform |
| Pre-trained APIs on Vertex AI | Pre-trained APIs on Agent Platform |
| (Provisioned Throughput/Pay-as-you-go/etc.) on Vertex AI | (Provisioned Throughput/Pay-as-you-go/etc.) on Agent Platform |
| Gemini Live API on Vertex AI | Gemini Live API on Agent Platform |
| Vertex AI Search | Agent Search |
| Vertex AI Search for Industry | Agent Search for Industry |
| Vertex AI Search for Commerce | Agent Search for Commerce |
| Recommendations from Vertex AI Search | Recommendations |
| Vertex AI Conversation | Agent Conversation |
| Vertex AI RAG Engine | RAG Engine |
| Vertex AI Vector Search | Vector Search |
| Vertex AI Vector Search 2.0 | Agent Retrieval |
| Vertex AI Agent Engine | Agent Runtime |
| Vertex AI Studio App Builder | App Builder in Agent Studio |
| Vertex AI Agent Engine Memory Bank | Agent Platform Memory Bank |
| Vertex AI Agent Engine Sessions | Agent Platform Sessions |
| Vertex AI Agent Engine Code Execution | Agent Platform Code Execution |
| Grounding with Google [...] in Vertex AI | Grounding with Google [...] in Agent Platform |
| Grounding with Google [...] in Vertex AI Search | Grounding with Google [...] in Agent Search |
| Grounding with Google [...] in Vertex AI Studio | Grounding with Google [...] in Agent Studio |
| Vertex AI Training | Agent Platform Managed Training |
| Vertex AI Serverless Training | Agent Platform Serverless Training |
| Vertex AI Training Clusters (VTC) | Managed Training Clusters |
| Ray on Vertex AI | Ray on Agent Platform |
| Reinforcement Learning from Human Feedback (RLHF)/Reinforcement Learning (RL) on Vertex AI | Reinforcement Learning on Agent Platform |
| Vertex AI Neural Architecture Search | Neural Architecture Search on Agent Platform |
| Vertex AI Prediction/Vertex AI Inference | Agent Platform Inference |
| Vertex AI Vision | Agent Platform Vision |
| Vertex AI Batch Inference | Agent Platform Batch Inference |
| Vertex AI Online Inference | Agent Platform Online Inference |
| Vertex AI Endpoints | Agent Platform Endpoints |
| Vertex AI Forecasting/Forecasting with AutoML | Forecasting on Agent Platform |
| Vertex AI Pipelines | Agent Platform Pipelines |
| Vertex AI Notebooks | Agent Platform Notebooks |
| Vertex AI Colab Enterprise | Agent Platform Colab Enterprise |
| Vertex AI Workbench | Agent Platform Workbench |
| Vertex AI Workbench Instances | Agent Platform Workbench Instances |
| Vertex AI Feature Store | Agent Platform Feature Store |
| Vertex AI Model Registry | Agent Platform Model Registry |
| Vertex AI Model Evaluation | Agent Platform Model Evaluation |
| Gen AI evaluation service on Vertex AI | Gen AI evals |
| Vertex AI AutoML (Vision/Video/Tables) | Agent Platform AutoML |
| Data Labeling on Vertex AI | Data Labeling |
| Vertex AI on GDC | Agent Platform on GDC |
| Vertex AI Experiments | Experiments on Agent Platform |
| Vertex AI Model Monitoring | Model Monitoring on Agent Platform |
| Vertex AI Media Studio | Agent Media Studio |
| Vertex AI | Agent Platform |
| Vertex AI Generative AI | Agent Platform Generative AI |
The following known issues affect Gemini Enterprise Agent Platform:
audio_track_extraction feature does not work. For more information, see Issue #504505771.Google Distributed Cloud (software only) for VMware 1.33.700-gke.71 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.33.700-gke.71 runs on Kubernetes v1.33.5-gke.2200.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.33.700-gke.71:
cloud.google.com/gke-nodepool label for workload node pools unexpectedly included an -np
suffix. This caused pods using nodeSelector targeting the original pool
name (such as Apigee workloads) to fail to schedule. For clusters on older
versions experiencing this issue, you can manually set
the expected label in the node pool configuration.
stackdriver.enableVPC field to
true in a cluster configuration file would block upgrades to an Advanced
Cluster. The stackdriver.enableVPC field has been deprecated and its
setting is now ignored during the upgrade validation process. For clusters on
older versions experiencing this issue, remove
the field or set it to false in your configuration file before
you upgrade.
node-problem-detector was incorrectly deployed onto
non-Advanced VMware clusters. This caused the containerd runtime to
continuously restart on affected nodes due to incompatible health check
configurations, leading to ETCD/CRI failures (such as errors connecting to
/run/containerd/containerd.sock) and unsuccessful cluster upgrades.
The following feature was added in 1.33.700-gke.71:
Google Distributed Cloud (software only) for bare metal 1.33.700-71 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.33.700-71 runs on Kubernetes v1.33.5-gke.2200.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following features were added in 1.33.700-gke.71:
A health check was added to detect when secrets or config maps mounted in pods become "stale," or out-of-sync with the Kubernetes API server. This feature addresses scenarios where the Kubelet's local cache fails to update with the latest versions of configuration data. The check performs the following actions:
The following issues were fixed in 1.33.700-gke.71:
containerd
restarts. After the fix, tasks are locked and run sequentially to ensure each
task completes successfully before the next begins. Each lock is held for up
to 20 minutes or until the task reaches success or failure.
To bypass this safety mechanismrun and run tasks concurrently, add the
following annotation to your cluster: baremetal.cluster.gke.io/concurrent-machine-update: "true".
etcd-events pod read the stale data directory when it started and attempted
to reuse the old member ID to rejoin the cluster instead of the new one.
Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures that the system clears the /var/lib/etcd-events directory upon
failure, and adds retry logic to kubeadm-reset to improve
resiliency against transient API errors.Terminating state. Because
the Kubernetes Eviction API rejects operations in terminating namespaces, the
cluster controller entered an infinite retry loop. The fix updates the drain
process to skip eviction for pods in terminal phases, allowing the upgrade to
proceed normally.kubectl top,
Horizontal Pod Autoscaling, and Vertical Pod Autoscaling could
fail with TLS verification errors during certificate authority rotation. This
occurred because the leaf certificate was not immediately renewed when the
certificate authority was rotated, causing a temporary mismatch between the
trusted certificate authority bundle and the certificate presented by the
metrics server.GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
There are no new releases in the Stable channel.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2407000 | cos-117-18613-534-80 | cos-117-18613-534-80 release notes |
| 1.32.13-gke.1362000 | cos-117-18613-534-80 | cos-117-18613-534-80 release notes |
| 1.33.11-gke.1013000 | cos-121-18867-381-63 | cos-121-18867-381-63 release notes |
| 1.34.6-gke.1307000 | cos-125-19216-220-130 | cos-125-19216-220-130 release notes |
| 1.35.3-gke.1522000 | cos-125-19216-220-130 | cos-125-19216-220-130 release notes |
There are no new releases in the Stable channel.
Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the Migration guide and Community post to begin your transition.
This migration applies to you only if your SIEM instance meets one of the conditions below:
This migration does not apply to you if your SIEM instance meets all the conditions below:
Netskope: Version 17.0
The following new actions have been added:
Add Entities to URL List
Deploy URL List Changes
Netskope: Version 17.0
Added a new Use V2 API parameter to the following actions:
List Clients
List Quarantined Files
Integration: Added support for V2 API endpoints and OAuth 2.0 authentication.
Qualys VM: Version 26.0
SCC Enterprise: Version 21.0
Updated ticket synchronization logic in the following job:
McAfee Mvision EDR: Version 12.0
Login API Root as a
customizable parameter.Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the Migration guide and Community post to begin your transition.
This migration applies to you only if your SIEM instance meets one of the conditions below:
This migration does not apply to you if your SIEM instance meets all the conditions below:
Privileged Access Manager supports agent identities as grant requesters and approvers.
This feature is available in preview.
For more information, see Privileged Access Manager overview.
Agent Identity auth manager is available in preview. You can use Agent Identity auth manager to help securely authenticate your agents to third-party services using 3-legged OAuth, 2-legged OAuth, or API keys.
For more information, see Agent Identity auth manager.
Agent Identity is generally available (GA). Agent Identity provides a strongly attested, cryptographic identity for each agent that is tied to the lifecycle of the resource hosting the agent.
For more information, see Agent Identity overview.
When Security Command Center is activated at the project level only, you can enable Vulnerability Assessment for Google Cloud on the single project.
Security Command Center has new predefined rules and controls:
Additional predefined security graph rules to support Agent Runtime
Additional support in existing correlated threats rules for Agent Runtime
Additional runtime detectors in Agent Platform Threat Detection
Additional Event Threat Detection rules to support AI agents
Security Command Center findings that are related to AI security risks are available in the Security tab of the Gemini Enterprise Agent Platform. The feature helps provide comprehensive visibility into findings, active threats, and attack path simulations. This feature requires Security Command Center Premium or Enterprise.
For more information, see View security findings.
Preview stage support for the following integration:
Preview stage support for the following integration:
Agent Search: MCP server (GA)
Agent Search has a Model Context Protocol (MCP) server hosted at the
following endpoint: https://discoveryengine.googleapis.com/mcp
This feature is generally available (GA). For more information, see MCP Reference: discoveryengine.googleapis.com.
Agent Search: Dense reciprocal rank for custom ranking
You can use the dense reciprocal rank transformation function, drr, to
customize search result ranking. It's an improvement on the reciprocal rank
function, rr. Using the dense reciprocal rank function leads to higher
quality ranking when there are duplicate signal values.
Duplicate signal values are more common when the ranking formula contains the following types of signal:
boosting_factor signalgeo_distance() function signalThis feature is generally available (GA). For more information, see Customize search results ranking.
Agent Search: Geodistance function for custom ranking (GA)
The geo_distance function can be used in custom ranking formulas to calculate
the distance between a source location and a destination location. The function
supports query locations extracted from natural language, explicitly provided
coordinates, and addresses.
This feature is generally available (GA). For more information, see Custom ranking: Geodistance—a derived signal.
Agent Search: Filter searches by document-level relevance (GA)
When searching in your Agent Search app, you can specify document-level relevance filters so that only the documents that meet the filter threshold are returned as results.
You can specify either the relevance threshold or semantic-relevance threshold to filter documents by relevance based on keyword and semantic search similarity.
This feature is Generally Available (GA). For more information, see Filter searches by document-level relevance.
Agent Search: Renamed from Vertex AI Search
The Vertex AI Search product has been renamed as Agent Search in the following contexts:
What has not changed:
The user interface in the Google Cloud console is still referred to as Vertex AI Search and AI Applications. See Vertex AI Search.
The APIs still use the Discovery Engine API endpoints. See APIs and reference.
Despite the rebrand, the product functionality remains the same.
]]>The integration between AlloyDB for PostgreSQL and Knowledge Catalog (in Preview) is now enabled by default for all new AlloyDB clusters.
This integration provides a unified view of your metadata to simplify data governance and analysis. Recent enhancements feature near real-time synchronization, with updates reflecting in Knowledge Catalog within minutes, as well as expanded metadata details that now include Primary Keys and Foreign Keys.
For more information, see Integrate AlloyDB for PostgreSQL with Knowledge Catalog.
You can now use the AlloyDB columnar engine to act as a read-optimized, in-memory cache for HNSW indexes. This increases the number of queries per second (QPS) that your database can handle for vector search workloads. This feature is available in Preview.
For more information, see Accelerate vector search with the columnar engine.
Cloud Asset Inventory now supports listing assets over Model Context Protocol (MCP) (Preview).
You can now create an account connector using a custom OAuth client.
You can now use Git proxy with account connectors.
Gemini Enterprise: View agent identity (Preview)
As a Gemini Enterprise administrator, you can view an agent's identity on the Agent details page. This is typically the agent's SPIFFE ID.
This feature is in Public Preview. If the SPIFFE ID is not published by the publisher, the Agent Registry resource ID is displayed as a fallback. For more information, see Agent identity.
Gemini Enterprise: Register agents using A2UI and A2A with Gemini Enterprise (Preview)
Gemini Enterprise administrators can register and manage agents using Agent to UI (A2UI) to build custom interfaces and the Agent2Agent (A2A) Protocol for communication with Gemini Enterprise.
This feature is in Public Preview. For more information, see:
For clusters running GKE version 1.35.3-gke.1389000 or later,
you can now use the c4a-highmem-96-metal
(Preview) machine
type from the C4A machine series with the following features:
Starting in GKE version 1.35.2-gke.1842000, you can install the Slurm Operator add-on for GKE (Preview). This managed installation of the Slurm Operator allows you to enable Slurm scheduling capabilities on any GKE cluster. The add-on provides the foundation to build customized AI and HPC platforms, including CPU, GPU, and TPU machines (covering specific scenarios). For more information, see About Slurm on GKE.
Spanner full-text search supports
custom dictionaries
to create custom synonym mappings. You can use custom dictionaries with the
SEARCH, SCORE, and SNIPPET functions.
You can now use the Database Insights remote MCP server to analyze AlloyDB's performance and system metrics. This feature is in GA.
The AlloyDB remote MCP server—available through the global endpoint—is now generally available (GA) and includes support for the following:
For more information, see Use the AlloyDB remote MCP server.
ChatGPT users aren't able to list or use the AlloyDB toolset provided by the AlloyDB remote MCP server.
On April 20, 2026 we released an updated version of the Apigee hybrid software, v1.16.1.
| Bug ID | Description |
|---|---|
| 469900037 | Apigee hybrid now supports LLMTokenQuota and PromptTokenLimit policies. |
| 502577947 | Enhanced the ParsePayload policy to support a broader set of Model Context Protocol (MCP) methods and implemented governance bypass for essential system-level methods. |
| 503029410 | Removed PII from ParsePayload policy outputs to improve security and privacy. |
| Bug ID | Description |
|---|---|
| 485998102, 482978613 | Security fixes for apigee-runtime, apigee-mart-server, and apigee-synchronizer. This addresses the following vulnerabilities: |
| 471527485, 471173296, 471172082, 471171833 | Security fixes for apigee-synchronizer. This addresses the following vulnerabilities: |
| 454672970 | Security fix for apigee-runtime. This adds strict input validation to the IntegrationRegion parameter in the SetIntegrationRequest policy to prevent potential server-side request forgery (SSRF). |
| 493067053, 493061344, 492959383, 492957334, 492359443, 492358696, 492067139, 490280970, 489908390, 489907729, 489489437, 488070159, 485580973 | Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 494902472, 493902764, 493747531, 493747186, 493066364, 492956556, 492812098, 492810982, 492737291, 492733739, 492067214, 491191150, 490628133, 490627481, 490279890, 490278396, 489905507, 489904404, 477290192 | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| 494874583, 493352686, 493350530, 493065065, 492958506, 492958221, 492810419, 492734198, 492360831, 491606491, 491602959, 490628958, 490628720, 490625335, 489487288, 477290192 | Security fixes for apigee-watcher. This addresses the following vulnerabilities: |
| 493904046, 493748763, 493353749, 492959837, 492959353, 492958532, 492734063, 492358967, 491163162, 489907974, 489494841, 477290192 | Security fixes for apigee-operators. This addresses the following vulnerabilities: |
| 493940049, 493935866, 492812693, 492811208, 490847438, 490285784, 443494822, 430609333, 428036268, 428035602 | Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities: |
| 494873893, 492957899, 492811896, 492735230, 492734621, 492362013, 492358145, 492044636, 491192904, 491163716, 490628292, 490283689, 489908590, 489487798, 485998102, 482978613 | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerabilities: |
| 495206280, 492736206, 492358267, 491606961, 491603879, 490845184, 490842872, 490626346, 490625529, 490278258, 489155677 | Security fixes for apigee-udca. This addresses the following vulnerability: |
| 492959491, 492959470, 492959266, 492812323, 492736535, 492736355, 492736200, 492734720, 492549333, 492528258, 492528186, 492361814, 492360845, 492359742, 492359020, 492039084, 490625473, 489488025, 489120498 | Security fixes for apigee-prometheus-adapter. This addresses the following vulnerability: |
| 492959323, 492958717, 492813153, 492736850, 492736096, 492735265, 492360419, 492359937, 492359237, 492041473, 491604321, 491602140, 490847572, 490627493, 490282905, 489151338, 489127231 | Security fixes for apigee-redis. This addresses the following vulnerability: |
| 492736867, 492735320, 492550947, 492549407, 492360316, 492359543, 492358244, 491608063, 491603446, 491169265, 490282128, 490278007, 490276323, 489127588, 489124394 | Security fixes for apigee-asm-ingress. This addresses the following vulnerability: |
| 492956844, 492956300, 492812417, 492811007, 492810814, 492528300, 492361776, 492360457, 492360310, 492360053, 492358006, 492037890, 491606683, 489492294, 489152529 | Security fixes for apigee-asm-istiod. This addresses the following vulnerabilities: |
You can use the Database Insights remote MCP server to analyze Bigtable's performance and system metrics. This feature is generally available (GA).
Bigtable continuous materialized views are generally available (GA). These views let you create precomputed tables that Bigtable automatically keeps in sync with your source data for low-latency queries and real-time insights.
Bigtable free trial instances are generally available (GA). These instances let you learn and explore Bigtable features for 90 days at no cost, providing a 1-node SSD cluster and up to 500 GB of storage. For more information, see Free trial instances overview.
The Bigtable remote MCP server is generally available (GA). The Bigtable remote MCP server lets you interact with Bigtable instances from LLMs, AI applications, and AI-enabled development platforms.
GKE workload recommenders now available in the FinOps hub
You can now view recommendations for right-sizing overprovisioned workloads and optimizing underprovisioned workloads for Google Kubernetes Engine (GKE) clusters directly in the FinOps hub.
For more information, see Optimize workload resource utilization.
Cloud Run ephemeral disk, which allows you to mount a volume that persists only for the duration of your service, job, or worker pool instance, is in Preview.
You can use the Database Insights remote MCP server to analyze Cloud SQL for MySQL's performance and system metrics. This feature is in GA.
You can use the Database Insights remote MCP server to analyze Cloud SQL for PostgreSQL's performance and system metrics. This feature is in GA.
You can use the Database Insights remote MCP server to analyze Cloud SQL for SQL Server's performance and system metrics. This feature is in GA.
Cloud Storage Model Context Protocol (MCP) server is generally available. You can connect to Cloud Storage from AI applications using the server. It lets AI applications and agents create buckets, retrieve object metadata, read and write object data, and list buckets and objects. For more information, see Use the Cloud Storage MCP server and Cloud Storage MCP reference.
Generally available: You can use the Compute Engine remote Model Context Protocol (MCP) server to let AI agents and AI applications manage Compute Engine resources, such as Compute Engine instances, managed instance groups, disks, and snapshots. For more information, see Use the Compute Engine remote MCP server.
Knowledge Catalog discovers links between data assets, helping you understand how they connect and the nature of their relationships. This feature is available in preview. For more information, see View data relationships in Knowledge Catalog.
The Firestore emulator now supports Enterprise edition. See Start emulator in specific edition.
Firestore Enterprise edition in Native mode and the Pipeline operations interface are now supported at the General Availability (GA) level.
Firestore Enterprise edition now supports Text search and Geospatial search.
These features are in Preview.
The Firestore remote MCP server is now supported at the General Availability (GA) level.
You can now use pipeline operations to perform joins with subqueries. To learn more, see Perform joins with subqueries.
Firestore Enterprise edition now supports the
update(...) and delete() pipeline operation stages.
Use these stages to Modify data with Pipeline operations.
This feature is in Preview.
The maximum document size has been increased to 16 MiB. To learn more, see Behavior differences.
Support for text and geospatial search. You
can create text indexes, perform text and geospatial search queries using
the $text and $near operators, handle language settings, and calculate
relevance scores. To learn more, see Text search
and Geospatial search.
These features are available in Preview.
$lookup now supports let and pipeline.
Support for Change Streams. Change streams let applications access real-time changes (inserts, updates, and deletes) made to a collection or to an entire database.
This feature is available in Preview.
Support for the drop() command to delete entire collections.
This feature is available in Preview.
Gemini Enterprise: Request access to Google Cloud Marketplace agents (Preview)
End users can request access to Google Cloud Marketplace agents from Agent Gallery. Admins can configure the visibility of these agents, view purchase requests, and manage access requests.
This feature is in Public Preview. For more information, see:
Gemini Enterprise: Register ADK agents hosted on Vertex AI Agent Engine
You can register ADK agents hosted on Vertex AI Agent Engine with Gemini Enterprise. This includes agents running within Vertex AI Agent Engine in a different Google Cloud project. This feature is generally available (GA).
For more information, see:
Accelerator network profile is Generally Available (GA), simplifying your AI/ML node pool setup. Accelerator network profile automates networking configuration, including the creation of necessary VPCs and subnets, removing the need for complex, manual steps previously required for configuring GPU and TPU workloads. For details, see Configure automated networking for accelerator VMs.
Now available in preview, the Looker VS Code Extension brings LookML development to local desktop IDEs like Visual Studio Code, Claude Code, and Cursor. The extension supports syntax highlighting, autocomplete, real-time file synchronization with your Looker instance, and LookML validation. With the Looker MCP server, it enables AI-assisted development, allowing you to use natural language with agents like Gemini to generate and edit LookML code.
Oracle Database@Google Cloud integrates with Database Center to provide fleet-wide insights, proactive alerts, and actionable recommendations for your Oracle Database@Google Cloud resources, including Oracle Exadata and Autonomous databases. For more information, see Monitor the health of your Oracle Database@Google Cloud resources in Database Center.
This feature is Generally Available (GA).
Google SecOps for SAP is in Preview
Google SecOps for SAP is in Preview. This service helps you secure your SAP applications by integrating business-critical telemetry into the Google Security Operations platform, providing unified visibility and AI-powered threat detection across your SAP landscape.
For more information, see Google SecOps for SAP overview.
The Spanner remote MCP server is generally available (GA). The Spanner remote MCP server lets you interact with Spanner instances from LLMs, AI applications, and AI-enabled development platforms.
You can use the Database Insights remote MCP server to analyze Spanner's performance and system metrics. This feature is generally available (GA).
You can now use Spanner Studio to visually create and manage a Spanner Graph schema. Visual modeling simplifies graph design by enabling you to map nodes and edges through an intuitive interface instead of creating manual DDL statements. This feature is available in Preview.
]]>New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Newly created Cloud SQL instances are integrating with Knowledge Catalog (formerly Dataplex Universal Catalog) for data discovery. Instances on MySQL version 8.0 or later will have updates sent to Knowledge Catalog in near real-time. As part of this automatic enablement, we will send metadata to Knowledge Catalog. You can verify if your instance is enabled for integration with Knowledge Catalog by looking at the configuration pane in the Knowledge Catalog console. If you don't want your instance to be integrated with Knowledge Catalog, you can turn off this feature.
For more information, see Near real-time.
Newly created Cloud SQL instances are integrating with Knowledge Catalog (formerly Dataplex Universal Catalog) for data discovery. Instances on PostgreSQL version 14.0 or later will have updates sent to Knowledge Catalog in near real-time. As part of this automatic enablement, we will send metadata to Knowledge Catalog. You can verify if your instance is enabled for integration with Knowledge Catalog by looking at the configuration pane in the Knowledge Catalog console. If you don't want your instance to be integrated with Knowledge Catalog, you can turn off this feature.
For more information, see Near real-time.
Newly created Cloud SQL instances are integrating with Knowledge Catalog (formerly Dataplex Universal Catalog) for data discovery. As part of this automatic enablement, we will send metadata to Knowledge Catalog. You can verify if your instance is enabled for integration with Knowledge Catalog by looking at the configuration pane in the Knowledge Catalog console. If you don't want your instance to be integrated with Knowledge Catalog, you can turn off this feature.
For more information, see Create a new instance with Knowledge Catalog integration enabled.
]]>When querying your Elasticsearch data using
standard SQL queries and specifying an
OFFSET, if the OFFSET gets pushed down, it gets applied twice. For example,
if your SQL query contains OFFSET 5, AlloyDB tries
to push the OFFSET down. Then, AlloyDB applies the
OFFSET again when the results are returned.
External search with AlloyDB now supports Elasticsearch in Preview.
With this update, you can use the external_search_fdw extension to connect to Elasticsearch and perform hybrid searches within AlloyDB. This integration allows you to combine the capabilities of AlloyDB with Elasticsearch for advanced search scenarios. For more information, see Access Elasticsearch data from AlloyDB.
The following AlloyDB AI function capabilities are available in Preview:
AI Function Apply node to run faster queries with AI functions. This feature optimizes the execution of SQL queries that use the ai.if and ai.rank functions in PostgreSQL 17. For more information, see Accelerate performance for queries with AI functions.You can now use the sentiment analysis and summarization functions. These functions let you process and analyze unstructured data directly in your database:
ai.analyze_sentiment: classifies the emotional tone of text as positive, negative, or neutral, helping you analyze real-time customer feedback from thousands of raw, unstructured product reviews.ai.summarize: condenses lengthy text into its essential information. Use this to extract key decisions and action items from sources like meeting transcripts or technical documentation.ai.agg_summarize: an aggregate function that processes multiple rows in a column to generate a single, unified summary for a group. For instance, you can summarize all reviews for a specific seller using a GROUP BY clause.For more information, see Evaluate sentiment and Summarize content.
App Optimize API is in Preview. App Optimize API helps you to monitor, analyze, and improve the performance and cost-efficiency of your cloud applications.
You can now integrate Cloud SQL for SQL Server with Vertex AI and third-party models (Preview).
By integrating your Cloud SQL for SQL Server instance with Vertex AI, you can generate vector embeddings from models hosted in Vertex AI directly from your Cloud SQL instance.
Cloud SQL for SQL Server supports model endpoints from the following sources:
For more information, see Integrate Cloud SQL for SQL Server with Vertex AI.
Cloud Scheduler is available in the following locations:
europe-west4 (Eemshaven, Netherlands)me-central1 (Doha, Qatar)me-central2 (Dammam, Saudi Arabia)me-west1 (Tel Aviv, Israel)Generally available: You can create a Hyperdisk Balanced High Availability disk by cloning a zonal Hyperdisk Balanced or Hyperdisk Extreme disk. This lets you make your zonal workloads highly available by adding a replica of the data in another zone within the same region.
For more information, see Create a regional disk clone from a zonal disk.
Data quality now supports rule reusability. You can now define data quality rules as templates and reuse them across multiple catalog entries to standardize your data quality processes. You can also use a shared library of system rule templates for common data validation scenarios. For more information, see Reuse data quality rules.
You can now build and run a Knowledge Catalog discovery agent to get more relevant search results for complex natural language queries.
For more information, see Build an agent to discover your data.
To further refine lineage graphs, Knowledge Catalog lineage views include new highlight and filter modes. This feature is available in preview. For more information, see Apply filters and highlighting for a focused view.
RAG Cross Corpus Retrieval
RAG Cross Corpus Retrieval is available in public preview. This feature allows you to retrieve relevant contexts or generate answers from multiple RAG corpora simultaneously using the AsyncRetrieveContexts and AskContexts APIs.
For more information, see RAG Cross Corpus Retrieval.
The Managed Service for Apache Kafka remote MCP server is generally available (GA).
The Memorystore for Redis remote MCP server is Generally Available.
The Memorystore for Valkey remote MCP server is Generally Available.
You can secure access to your instances by using basic token-based authentication. This feature is available in Preview.
The ONTAP-mode for the Flex Unified pools is generally available (GA). For more information about this new mode, see About ONTAP-mode.
Google Cloud NetApp Volumes Flex Unified service level is generally available (GA) for NFS, SMB, and NVMe/TCP protocols. For more information, see Key features.
The large capacity volumes feature, a file-only solution with NFS and SMB protocols for massive datasets, is generally available (GA) for the Flex Unified service level. For more information, see Large capacity volumes.
You can use the Network Management API remote Model Context Protocol (MCP) server to create, view, and delete Connectivity Tests.
You can now use the Oracle Database@Google Cloud remote MCP server. The remote MCP server lets you interact easily with Oracle Database@Google Cloud resources from LLMs, AI applications, and AI-enabled development platforms.
This feature is in Preview.
The Pub/Sub remote MCP server is generally available (GA).
Through the Application Design Center, Security Command Center helps you perform proactive security assessments (Preview) throughout your application development lifecycle. This integration shows both design-time and runtime findings in Security Command Center. For more information, see Application lifecycle security assessments.
Data Security Posture Management has new controls in Preview. The controls help you secure Cloud Storage objects and include the following:
For more information, see Advanced data governance and security cloud controls.
You can use authorization extensions to insert custom services directly into the Secure Web Proxy processing path. This feature is in Preview. For more information, see Callouts for Secure Web Proxy.
Authorization extensions support authorization policy request and content profiles in Preview.
Repeatable read isolation is generally available. You can use it to reduce latency and transaction failure rates for workloads that have many reads contending with fewer writes. For more information, see Repeatable read isolation.
Spanner supports Gemini Cloud Assist investigation capabilities. You can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium support contract.
For more information, see monitor and troubleshoot your Spanner instance with AI assistance.
Columnar engine for Spanner is now generally available (GA). Columnar engine is a storage technique used with analytical queries to make scans up to 200 times faster on live operational data without affecting transaction workloads. This release enables support for Columnar Engine in databases that use the Postgres interface.
For more information, see the Columnar engine for Spanner overview.
]]>Generally available: The AI Hypercomputer documentation includes support for the A3 Mega and A3 High machine types. The addition of A3 Mega and A3 High expand the available compute options for training and serving large-scale AI models on Google Kubernetes Engine (GKE) and Compute Engine.
To support this effort, several new pages have been added and existing pages updated in the AI Hypercomputer documentation where relevant. These updates provide comprehensive guidance for deploying, managing, and optimizing the A3 Mega and A3 High machine types within the AI Hypercomputer stack.
New documentation pages include the following:
The following vector search improvements are now available in Preview:
alloydb_scann extension now supports four-level tree indexes,
providing support for tables with up to 10 billion vector rows. For more
information, see Four-level ScaNN tree
indexes.Adaptive filtering from inline filtering to pre-filtering is now generally available (GA). With AlloyDB AI, you can use adaptive filtering to optimize filtered vector searches. This feature enables the query optimizer to use cost-based analysis to dynamically choose the most efficient filtering strategy—either inline filtering or pre-filtering—based on real-time data distributions. This improves filtered vector search performance without requiring manual tuning or intervention. Note that the feature adaptive filtering from pre-filtering to inline filtering is still in Preview.
For more information, see Understand adaptive filtering in AlloyDB AI.
The alloydb_scann extension is updated to include the following
vector search improvements. These features are generally available
(GA):
You can stream messages from Pub/Sub directly to a Bigtable table using Bigtable subscriptions. This feature lets you write streaming messages to Bigtable without needing a separate subscriber such as Dataflow. This feature is available in Preview.
Support for specifying custom CPU or concurrency targets using scaling controls is in Preview.
The Cloud SQL remote MCP server is generally available (GA). The Cloud SQL remote MCP server lets you interact easily with Cloud SQL instances from LLMs, AI applications, and AI-enabled development platforms.
You can use DNS automation on Cloud SQL instances where Private Service Connect is enabled to provision and manage per-instance DNS records automatically. On Enterprise Plus edition instances where DNS automation is enabled, you can also enable a global write endpoint DNS that automatically resolves to your current primary instance.
This feature is in Preview.
The Cloud SQL remote MCP server is generally available (GA). The Cloud SQL remote MCP server lets you interact easily with Cloud SQL instances from LLMs, AI applications, and AI-enabled development platforms.
You can use DNS automation on Cloud SQL instances where Private Service Connect is enabled to provision and manage per-instance DNS records automatically. On Enterprise Plus edition instances where DNS automation is enabled, you can also enable a global write endpoint DNS that automatically resolves to your current primary instance.
This feature is in Preview.
The Cloud SQL remote MCP server is generally available (GA). The Cloud SQL remote MCP server lets you interact easily with Cloud SQL instances from LLMs, AI applications, and AI-enabled development platforms.
You can use DNS automation on Cloud SQL instances where Private Service Connect is enabled to provision and manage per-instance DNS records automatically. On Enterprise Plus edition instances where DNS automation is enabled, you can also enable a global write endpoint DNS that automatically resolves to your current primary instance.
This feature is in Preview.
Cluster Toolkit version v1.88.0 is available. This release adds dynamic
machine configurations by using the Compute Engine API. This release also
refactors the naming convention for Helm releases within the kubectl-apply
module, which helps to improve the predictability and maintainability of
deployed resources. For details, see the Release announcement on
GitHub.
Generally available: To ensure data consistency when backing up multiple disks, you can use consistency groups of instant snapshots to back up a group of disks at the same point in time.
For more information, see About instant snapshots.
Preview: You can specify a 120-second preemption notice duration while creating Spot VMs. Use this feature for workloads on Spot VMs where you want up to an additional 120 seconds for handling preemption. If you want to migrate existing Spot VMs workloads, make sure you update your workload to handle preemption outside of a shutdown script and test preemption. For more information, see Spot VMs and Create and use Spot VMs.
Generally available: You can rotate the customer-managed encryption key (CMEK) used to encrypt a disk, standard snapshot, or archive snapshot to a new key version without downtime.
Generally available: You can change the CMEK used to encrypt a disk, standard snapshot, or archive snapshot to a different key without downtime.
For more information, see Rotate the CMEK for a disk or standard snapshot and Change the CMEK for a disk or standard snapshot.
You can connect Dataform repositories to third-party Git repositories using Developer Connect, removing the need for manual secrets management and enabling support for repositories in privately hosted networks. This feature is generally available (GA).
Data insights for unstructured data transforms dark data or unstructured files in the form of PDFs in Cloud Storage into structured, queryable assets. This feature is now available in preview.
For more information, see About data insights for unstructured data.
You can now create a Datastream stream directly from the overview page of your AlloyDB for PostgreSQL instance using the automated flow. The automated flow simplifies the process of moving data to BigQuery by reducing the number of steps that you need to perform.
For more information, see Create an AlloyDB for PostgreSQL stream using the automated flow.
Various bug fixes and minor product enhancements.
As of April 16th, 2026, the geminicloudassist.googleapis.com API has been
automatically enabled on projects that meet all of the following criteria:
cloudaicompanion.googleapis.com API enabled on April 16, 2026.geminicloudassist.googleapis.com API enabled on
April 16, 2026.The Gemini Cloud Assist chat functionality that was previously served by
cloudaicompanion.googleapis.com is now served by
geminicloudassist.googleapis.com, and both APIs are dependencies to use
Gemini Cloud Assist. This automatic API enablement ensures that users have
access to the same functionality without any loss of service.
You can migrate your workloads from your self-managed Redis and Valkey instances that run in Google Cloud Platform into Memorystore for Valkey. This feature is available in Preview.
The shared and customer-managed Certificate Authority (CA) modes are Generally Available.
You can stream messages from Pub/Sub directly to a Bigtable table using Bigtable subscriptions. This feature lets you write streaming messages to Bigtable without needing a separate subscriber such as Dataflow. This feature is available in Preview.
Integrated secret synchronization feature is now Generally Available (GA). You can automatically synchronize secrets from Secret Manager into Kubernetes Secret objects within your Google Kubernetes Engine (GKE) clusters. This process allows applications to access secrets from Secret Manager using standard Kubernetes methods, such as environment variables or volume mounts. Applications that are already configured to read secrets from Kubernetes Secret object can now seamlessly read secrets in Secret Manager.
For more information, see Synchronize secrets to Kubernetes Secrets.
AI Protection supports agentic workloads in Preview, including Gemini Enterprise Agent Platform and Model Context Protocol (MCP) servers. This update includes the following:
The AlloyDB for PostgreSQL index advisor is enabled by default. It provides vector search index recommendations for Scalable Nearest Neighbors (ScaNN) indexes. For more information, see Use the index advisor.
Platform logs can record data about successful and failed requests made to Artifact Registry repositories. For more information, see Access and use platform logs.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) names remain unchanged. For more information about how Bigtable metadata interacts with Knowledge Catalog, see Manage data assets using Knowledge Catalog.
The following resource type is publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, SearchAllResources, and SearchAllIamPolicies APIs.
storagebatchoperations.googleapis.com/JobTo more strongly embrace the success and growing customer preference for OSS solutions, Cloud Composer is evolving to become Managed Service for Apache Airflow. This name change provides improved customer understanding of our portfolio while reinforcing our commitment to being the most open cloud ecosystem.
Airflow 3 is now generally available (GA) in Cloud Composer 3.
Cloud Composer remote Model Context Protocol (MCP) server is available in Preview.
You can use Cloud Composer remote Model Context Protocol (MCP) server to connect to Cloud Composer from AI applications such as Gemini CLI, ChatGPT, Claude, or in AI applications that you're developing. The Cloud Composer MCP server lets you manage Cloud Composer environments and get details about executed DAG runs and Airflow tasks.
The Cloud Run remote MCP server, which lets agents and AI applications deploy with Cloud Run, is in General Availability (GA).
Your trace data can be encrypted with a customer-managed encryption key (CMEK). To enable CMEK, set a default storage location and for that location, set a default Cloud Key Management Service key.
You can set these defaults for an organization, a folder, or a project. When set for an organization or folder, the settings apply to that resource and to its descendants. For more information, see Set defaults for observability buckets.
When you configure a default storage location, you control the location of your new observability buckets. These buckets store your trace data.
You can set a default storage location for an organization, a folder, or a project. When set for an organization or folder, the setting applies to that resource and to its descendants. For more information, see Set defaults for observability buckets.
You can view the physical location of your Compute Engine instances in a zone to understand your cluster topology. This information helps you reduce network latency between your compute instances. For more information, see View Compute Engine instance topology.
Generally available: You can control the physical location of the Compute Engine instances in a MIG by using workload policies. Workload policies help you to, for example, place your compute instances close together to minimize network latency when running AI or ML workloads. For more information, see About workload policies in MIGs.
Gemini Enterprise: Use Gemini Enterprise Admin and Gemini Enterprise User IAM roles
Use the Gemini Enterprise Admin and Gemini Enterprise User roles.
The Gemini Enterprise Admin and Gemini Enterprise User roles still map to the Discovery Engine admin and user roles, so existing customers do not need to make any changes.
For more information, see IAM roles and permissions.
Google Cloud CCaaS 4.21
We've released version 4.21 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Language selection support for direct calls
End-users making direct calls to agent phone numbers and agent extension numbers can select their language at the start of a call.
Administrators: The Add Number and Edit a Number dialogs, located at Settings > Call > Phone Numbers > Phone Number Management, have a new Set languages checkbox (when the Set as a direct number checkbox is selected). When you select the Set languages checkbox, the Select languages list appears.
For more information, see Create a direct phone number.
"Improved controls for predictive campaigns" is available without assistance from the Google account team
This feature was announced on March 24, 2026 but previously required the Google account team to enable it. You no longer need assistance from the Google account team to use this capability. For more information, see Predictive campaigns.
Virtual agents can transfer calls to a specific human agent
Virtual support agents can transfer calls directly to a specific human agent
using the agent ID or agent extension number. Include the agent_extension or
agent_id field in the transfer payload to direct the call to the correct
agent. Transferring directly to a human agent eliminates the intermediate step
of transferring to a queue before transferring to the agent. This can improve
wait times and customer satisfaction. For more information, see Virtual agent
to human agent
transfers.
The following issues were addressed in this release:
Fixed an issue where backslash characters in chat shortcuts and chat messages weren't displayed correctly, resulting in missing or empty message chat bubbles.
Fixed an issue where virtual agent chat transcripts didn't match the actual conversation.
Fixed an issue where call times in session metadata for virtual agent to human agent escalations were shorter than the actual call times.
Fixed an issue where agents were able to join a conference call despite receiving microphone permission errors.
Fixed an issue where direct inbound calls to Twilio numbers assigned at the user level continuously rang without reaching the agent.
Fixed an issue where chat transfers from auto-answer queues to manual-answer queues were incorrectly recorded as manual-to-manual in reporting.
Fixed an agent desktop issue where French (Canadian) translations were missing or incorrect during outbound calls.
Fixed an issue where the All Teams filter didn't block interactions with background elements, which could cause unintended end-user interactions with the UI.
Fixed an issue where missed call volumes didn't appear on the agent monitoring page.
Fixed an issue that occurred when the Display transfer history in agent adapter capability was enabled. After a virtual agent escalation, escalated queue names were shown in English instead of the correct target language.
Fixed an issue where virtual agent audio sessions ended after 15 minutes, causing calls to be escalated unexpectedly.
Fixed an issue where underscores within email addresses were incorrectly removed in CRM transcripts.
Fixed an issue where chat transcript PDFs weren't generated when real-time redaction was enabled and conversations included non-text message types such as inline buttons or content cards.
Fixed an issue where content cards sent by virtual agents during conversations were missing from the PDF chat transcript.
Fixed an issue where chat transcripts created through the API weren't appearing in agent conversations.
Fixed an issue where voicemails disappeared from the agent's queue and didn't appear in voicemail history or reports.
Fixed an issue where the agent adapter displayed Escalated Virtual Agent Call instead of IVR Callback after connecting during a callback.
Fixed an issue where chat disposition selections reset during wrap-up, particularly when Agent Assist was enabled.
Fixed an issue where custom fields in dialer list uploads worked only if the column headers were in all caps.
Fixed an issue where the email adapter didn't start up.
Google Distributed Cloud (software only) for VMware 1.34.300-gke.59 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.34.300-gke.59 runs on Kubernetes v1.34.3-gke.400.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.34.300-gke.59:
stackdriver.enableVPC field to true in
a cluster configuration file blocked upgrades to an Advanced Cluster. This field has no
current function, and the upgrade validation now ignores it, allowing
upgrades to proceed.
gkectl upgrade admin command after a previous
failure failed with AlreadyExists errors (such as failing to create the credential
namespace) in the bootstrap cluster. The command was updated to automatically
handle resources left over from a previous attempt, making it safe to retry directly
and eliminating the need for manual cleanup.
certificate
signed by unknown authority when pulling the Kind image) during cluster upgrades.
Google Distributed Cloud (software only) for bare metal 1.34.300-gke.59 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.34.300-gke.59 runs on Kubernetes v1.34.3-gke.400.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.34.300-gke.59:
RecentFailures field
in the cluster status. This change provides a centralized location for viewing
errors from both worker node pools and control plane nodes, improving the
troubleshooting and debugging experience.
kubectl top, Horizontal Pod Autoscaling (HPA), and Vertical Pod Autoscaling
(VPA)—could fail with TLS verification errors during CA rotation.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
There are no new releases in the Stable channel.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2369000 | cos-117-18613-534-62 | cos-117-18613-534-62 release notes |
| 1.31.14-gke.1790000 | cos-117-18613-534-62 | cos-117-18613-534-62 release notes |
| 1.32.13-gke.1318000 | cos-117-18613-534-62 | cos-117-18613-534-62 release notes |
| 1.35.3-gke.1389000 | cos-125-19216-220-106 | cos-125-19216-220-106 release notes |
There are no new releases in the Stable channel.
Unified and upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. In addition, we've upgraded the following Chronicle API resources from alpha to beta. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend customers use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability.
SentinelOneV2: Version 50.0
The following new job has been added:
CrowdStrike Falcon: Version 76.0
The following new job has been added:
ServiceNow: Version 64.0
Added support for disabling overflow settings and updated ticket processing and environment mapping logic in the following connector:
Zscaler: Version 14.0
Added the ability to provide IOCs using input parameters to the following actions:
Add To Blacklist
Add To Whitelist
Remove From Blacklist
Remove From Whitelist
Integration: Added support for OAuth authentication.
Mandiant Threat Intelligence: Version 17.0
Optimized execution performance and entity processing logic in the following action:
Migrate your Teams webhook to "Workflows"
Microsoft is retiring the legacy Office 365 Connectors in favor of Power Automate Workflows. Connectors will stop working by the end of April 2026. To ensure that your Looker alerts continue to deliver to Teams, you must replace your current webhook URL with a new "Workflow" URL. For more information, see the Migrate your Teams webhook to "Workflows" Best Practices notice.
Memorystore for Valkey has new node types that you can select for your instances. This feature is Generally Available.
When you activate Security Command Center Standard or Premium tier for a project, several services are automatically enabled and service-specific service agents are provisioned with the required IAM roles and permissions.
For more information, see Activate for a project when Security Command Center is not active in the organization.
]]>As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your AlloyDB for PostgreSQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
Support for deploying Cloud Run worker pools is now generally available (GA).
The Deployments page supports viewing recent application deployments to Google Kubernetes Engine (GKE) and Cloud Run.
Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) with VPC Network Peering is Generally Available.
Network Connectivity Center (NCC) support for Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) is available in Preview.
For more information, see Partner Cross-Cloud Interconnect for AWS overview. For available locations, see Choose a paired location.
Support for worker pools is in General Availability (GA).
As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your Cloud SQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your Cloud SQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your Cloud SQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
A vulnerability (CVE-2025-54510) about AMD SEV-SNP guest memory integrity has been addressed. For more information, see the GCP-2026-019 security bulletin.
A vulnerability affecting AMD SEV-SNP Confidential VM instances was discovered and has been addressed. For more information, see the GCP-2026-021 security bulletin.
Generally available: Hyperdisk ML disks are supported by the following machine series:
For more information, see Hyperdisk ML overview.
A vulnerability affecting AMD SEV-SNP Confidential VM instances was discovered and has been addressed. For more information, see the GCP-2026-021 security bulletin.
Anthropic's Claude Opus 4.7
Claude Opus 4.7 is available in Model Garden.
Advance reporting dashboards prerelease notes
Here are the pre-release notes for updates to the advanced reporting dashboards. When we release these updates, we expect the new capabilities to be as shown here.
Added a Location filter to dashboards
The following dashboards now include a Location filter:
Real-time Channel Performance
Transfers
Queue Interval
Queue Performance dashboard improvements
We've made the following improvements to the Queue Performance - Calls and Queue Performance - Chats dashboards:
Added the dashboards to the Advanced Reporting Landing Page.
Added a Support Phone Number filter.
Renamed the Total Inbound Handled tile (calls only) to Total Queue Answered.
Added a Total Failed tile.
In the Queue Summary table, removed the Total Inbound Calls Handled column and added the following columns: Total Queue Interactions, Total Queue Entries, Total Queue Answered, Total Failed, and Total Transfers.
General dashboard updates
In the Performance Overview dashboard, we renamed the following tiles:
Queued Now to Current Queued Now
Max Queue Time to Current Max Queue Time
The Real-time Connected - Calls and Real-time Connected - Chats dashboards now include the following tiles:
Total Connected Calls (calls only)
Total Connected Chats (chats only)
Avg Current Sentiment Score
In the Queue Group Performance - All dashboard, we renamed the Lang filter to Language.
The following issues were addressed in this release:
Fixed an issue where the CSAT scores in the Performance Overview and CSAT dashboards didn't match.
Fixed an issue where the Queue Performance dashboard incorrectly totaled queue interactions, resulting in lower counts than expected.
Fixed an issue in the All Interactions - Chat dashboard where the Virtual Agents Chats table displayed the wrong chat.
Fixed an issue in the All Interactions - Chat dashboard where the
Failed Interaction column of the Chat Metric Detail table displayed
False for a failed interaction.
Fixed an issue where the Chat ID filter on the Queue Performance - Chats dashboard incorrectly displayed placeholder values.
Fixed an issue where scheduled exports of large queries were limited to 500 rows, causing reporting delays.
Fixed an issue in the Historical Data table of the Agent Activity dashboard where the Start Time and End Time columns indicated incorrect durations for agents belonging to multiple teams.
Fixed an issue where short abandoned calls and chats were incorrectly included in the Abandons dashboard, causing inaccurate reporting of queue abandon times.
Fixed an issue where dashboard windows didn't fully display their contents.
Network Connectivity Center (NCC) support for Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) is available in public preview.
Cloud Run Threat Detection monitors Cloud Run worker pools. For a list of resources that Cloud Run Threat Detection monitors, see Supported resources.
]]>You can now use GoogleSQL geography functions to work with geospatial data in Bigtable. This feature is generally available (GA). For more information, see Work with geospatial data and Geography functions reference.
Bigtable supports pipe syntax, an extension to GoogleSQL that lets you build simpler and more concise queries. This feature is generally available (GA).
Google Kubernetes Engine (GKE) Gateway supports Cloud CDN to help you cache content closer to your users, improve application latency, and reduce origin load. Using GKE Gateway APIs, you can configure, manage, and fine-tune caching configurations for different segments of your traffic. This feature is in Preview.
For more information, see Configure Cloud CDN for Gateway.
Application Monitoring can display a single, dynamic topology map showing your App Hub applications and your registered and discovered services and workloads. This interactive map identifies services and workloads that have open incidents. It also displays the error rates and P95 latency between your services and workloads.
To learn more, see the following:
General Availability: Cloud NAT gateways for Public NAT support source-based NAT rules for IPv4 addresses.
Support for NVIDIA RTX PRO 6000 Blackwell GPU is in General Availability. For more information, see GPU support for services, jobs, and worker pools.
1.28.5-asm.12 is now available for in-cluster Cloud Service Mesh.
This patch release contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-33186 | Yes | Yes | Yes | Yes | Critical (9.1) |
| CVE-2026-3731 | Yes | Yes | No | Yes | High (7.5) |
| CVE-2026-3784 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-1965 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-29111 | Yes | Yes | No | Yes | Medium (5.5) |
| CVE-2026-3783 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2025-0167 | Yes | Yes | No | Yes | Low (3.4) |
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.28.5-asm.12 uses Envoy 1.36.5-dev.
1.27.8-asm.9 is now available for in-cluster Cloud Service Mesh.
This patch release contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-33186 | Yes | Yes | Yes | Yes | Critical (9.1) |
| CVE-2026-3731 | Yes | Yes | No | Yes | High (7.5) |
| CVE-2026-3784 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-1965 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-29111 | Yes | Yes | No | Yes | Medium (5.5) |
| CVE-2026-3783 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2025-0167 | Yes | Yes | No | Yes | Low (3.4) |
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.27.8-asm.9 uses Envoy 1.35.10-dev.
The following images are now rolling out for managed Cloud Service Mesh:
These patch releases contain the fixes for the following CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | MDPC | Severity |
|---|---|---|---|---|---|---|
| CVE-2022-27943 | Yes | Yes | Yes | No | No | Medium (5.5) |
| CVE-2023-4039 | Yes | Yes | Yes | No | No | Medium (4.8) |
| CVE-2023-4527 | Yes | Yes | Yes | No | No | Medium (6.5) |
| CVE-2023-4806 | Yes | Yes | Yes | No | No | Medium (5.9) |
| CVE-2023-4911 | Yes | Yes | Yes | No | No | High (7.8) |
| CVE-2023-5156 | Yes | Yes | Yes | No | No | High (7.5) |
| CVE-2023-6246 | Yes | Yes | Yes | No | No | High (7.8) |
| CVE-2024-2961 | Yes | Yes | Yes | No | No | High (7.3) |
| CVE-2024-33599 | Yes | Yes | Yes | No | No | High (8.1) |
| CVE-2024-33600 | Yes | Yes | Yes | No | No | Medium (5.9) |
| CVE-2024-33601 | Yes | Yes | Yes | No | No | High (7.3) |
| CVE-2024-33602 | Yes | Yes | Yes | No | No | High (7.4) |
| CVE-2025-0167 | Yes | Yes | No | No | No | Low (3.4) |
| CVE-2025-0395 | Yes | Yes | Yes | Yes | No | Medium (6.2) |
| CVE-2025-15281 | Yes | Yes | Yes | No | No | High (7.5) |
| CVE-2025-4802 | Yes | Yes | Yes | Yes | No | High (7.8) |
| CVE-2025-68972 | Yes | Yes | No | No | No | Medium (4.7) |
| CVE-2025-8058 | Yes | Yes | Yes | No | No | Low (0.0) |
| CVE-2025-8941 | Yes | Yes | No | No | No | Low (0.0) |
| CVE-2026-0861 | Yes | Yes | Yes | No | No | High (8.4) |
| CVE-2026-0915 | Yes | Yes | Yes | No | No | High (7.5) |
| CVE-2026-1965 | Yes | Yes | No | Yes | Yes | Medium (6.5) |
| CVE-2026-29111 | Yes | Yes | No | Yes | Yes | Medium (5.5) |
| CVE-2026-33186 | Yes | Yes | Yes | No | No | Critical (9.1) |
| CVE-2026-3731 | Yes | Yes | No | Yes | Yes | High (7.5) |
| CVE-2026-3783 | Yes | Yes | No | Yes | Yes | Medium (5.3) |
| CVE-2026-3784 | Yes | Yes | No | No | No | Medium (6.5) |
1.26.8-asm.5 is now available for in-cluster Cloud Service Mesh.
This patch release contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-33186 | Yes | Yes | Yes | Yes | Critical (9.1) |
| CVE-2026-3731 | Yes | Yes | No | Yes | High (7.5) |
| CVE-2026-3784 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-1965 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-29111 | Yes | Yes | No | Yes | Medium (5.5) |
| CVE-2026-3783 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2025-68972 | Yes | No | No | Yes | Medium (4.7) |
| CVE-2025-0167 | Yes | Yes | No | Yes | Low (3.4) |
| CVE-2025-8941 | Yes | No | No | Yes | Low (0.0) |
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.26.8-asm.5 uses Envoy 1.34.14-dev.
The preconfigured base images
include a /google/scripts/keep_alive.sh script to prevent idle
timeouts when running long-running background tasks.
Cluster Toolkit version v1.87.0 is available. This release adds Kueue
support for GKE A4X-Max and introduces support for Customer Managed Encryption
Keys (CMEK) in Google Cloud Managed Lustre. This release also migrates the
install_asapd_lite module to Helm and updates the Google Kubernetes Engine A3 High
blueprint. For details, see the Release announcement on
GitHub.
Visualization cells
Generally available: You can use visualization cells to generate interactive and editable visualizations from within a Colab Enterprise notebook. You can configure the chart type, aggregation, colors, labels, and other aspects of the visualization to help you explore data and discover insights. For more information, see Use visualization cells.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.2 | See List |
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.1 | See List |
This is an LTS Refresh release.
Added support for 8th generation TPU devices.
Fixed CVE-2026-33997 and CVE-2026-34040 in Docker.
Changed default sysctl networking values on A4x-max machine type only.
Upgraded sys-apps/iproute2 to version 6.18.0.
Reverted iproute2 to v5.16.0.
Changed default sysctl networking values on A4x-max machine type only.
Upgraded app-arch/unzip to v6.0_p29-r2.
Reverted iproute2 to v5.16.0.
Upgraded app-containers/cni-plugins to v1.9.1.
Fixed a kernel panic in virtio_pci teardown when virtual queues are conditionally skipped.
Upgraded app-shells/dash to v0.5.13.2.
Upgraded net-misc/rsync to v3.4.1-r3.
Upgraded sys-apps/hwdata to v0.401.
Upgraded sys-apps/pv to v1.10.4.
Upgraded sys-libs/zlib to v1.3.2-r1.
Upgraded app-shells/dash to v0.5.13.2.
Runtime sysctl changes:
Upgraded dev-db/sqlite to v3.51.2.
Upgraded net-misc/rsync to v3.4.1-r3.
Upgraded net-misc/socat to v1.8.1.1.
Upgraded sys-apps/hwdata to v0.401.
Upgraded sys-process/procps to v4.0.6.
Upgraded virtual/logger to v0-r3.
Fixed CVE-2024-14027 in the Linux kernel.
Fixed CVE-2026-23270 in the Linux kernel.
Fixed KCTF-7cb9a23 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.7 | See List |
Upgraded app-shells/dash to v0.5.13.2.
Fixed CVE-2024-14027 in the Linux kernel.
Fixed CVE-2024-43826 in the Linux kernel.
Fixed CVE-2025-38704 in the Linux kernel.
Fixed CVE-2025-39748 in the Linux kernel.
Fixed CVE-2025-39764 in the Linux kernel.
Fixed CVE-2026-23154 in the Linux kernel.
Fixed CVE-2026-23243 in the Linux kernel.
Fixed CVE-2026-23343 in the Linux kernel.
Fixed CVE-2026-23360 in the Linux kernel.
Fixed CVE-2026-23401 in the Linux kernel.
Fixed CVE-2026-23412 in the Linux kernel.
Fixed CVE-2026-23413 in the Linux kernel.
Fixed CVE-2026-23414 in the Linux kernel.
Fixed CVE-2026-23439 in the Linux kernel.
Fixed CVE-2026-23441 in the Linux kernel.
Fixed CVE-2026-23449 in the Linux kernel.
Fixed CVE-2026-23452 in the Linux kernel.
Fixed CVE-2026-23455 in the Linux kernel.
Fixed CVE-2026-23456 in the Linux kernel.
Fixed CVE-2026-23457 in the Linux kernel.
Fixed CVE-2026-23458 in the Linux kernel.
Fixed CVE-2026-23471 in the Linux kernel.
Fixed CVE-2026-31392 in the Linux kernel.
Fixed CVE-2026-31400 in the Linux kernel.
Fixed CVE-2026-31402 in the Linux kernel.
Fixed CVE-2026-31403 in the Linux kernel.
Fixed CVE-2026-33997 and CVE-2026-34040 in Docker.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Upgraded app-shells/dash to v0.5.13.2.
Upgraded sys-apps/hwdata to v0.401.
Upgraded virtual/logger to v0-r3.
Fixed CVE-2024-14027 in the Linux kernel.
Fixed CVE-2026-23154 in the Linux kernel.
Fixed CVE-2026-23244 in the Linux kernel.
Fixed CVE-2026-23319 in the Linux kernel.
Fixed CVE-2026-23343 in the Linux kernel.
Fixed CVE-2026-23360 in the Linux kernel.
Fixed CVE-2026-23401 in the Linux kernel.
Fixed CVE-2026-23439 in the Linux kernel.
Fixed CVE-2026-23441 in the Linux kernel.
Fixed CVE-2026-23449 in the Linux kernel.
Fixed CVE-2026-23452 in the Linux kernel.
Fixed CVE-2026-23455 in the Linux kernel.
Fixed CVE-2026-23456 in the Linux kernel.
Fixed CVE-2026-23457 in the Linux kernel.
Fixed CVE-2026-23458 in the Linux kernel.
Fixed CVE-2026-23471 in the Linux kernel.
Fixed CVE-2026-31392 in the Linux kernel.
Fixed CVE-2026-31400 in the Linux kernel.
Fixed CVE-2026-31402 in the Linux kernel.
Fixed CVE-2026-31403 in the Linux kernel.
Fixed CVE-2026-33997 and CVE-2026-34040 in Docker.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.161 | v24.0.9 | v1.7.27 | See List |
Upgraded app-shells/dash to v0.5.13.2.
Upgraded sys-apps/hwdata to v0.401.
Upgraded virtual/logger to v0-r3.
Fixed CVE-2025-38162 in the Linux kernel.
Fixed CVE-2025-39764 in the Linux kernel.
Fixed CVE-2026-23154 in the Linux kernel.
Fixed CVE-2026-23343 in the Linux kernel.
Fixed CVE-2026-23439 in the Linux kernel.
Fixed CVE-2026-23449 in the Linux kernel.
Fixed CVE-2026-23452 in the Linux kernel.
Fixed CVE-2026-23455 in the Linux kernel.
Fixed CVE-2026-23456 in the Linux kernel.
Fixed CVE-2026-23457 in the Linux kernel.
Fixed CVE-2026-23458 in the Linux kernel.
Fixed CVE-2026-31392 in the Linux kernel.
Fixed CVE-2026-31400 in the Linux kernel.
Fixed CVE-2026-31402 in the Linux kernel.
Fixed CVE-2026-31403 in the Linux kernel.
Fixed CVE-2026-33997 and CVE-2026-34040 in Docker.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.5 | See List |
Changed default sysctl networking values on A4x-max machine type only.
Reverted iproute2 to v5.16.0.
Upgraded net-misc/rsync to v3.4.1-r3.
Upgraded sys-apps/hwdata to v0.401.
Upgraded virtual/logger to v0-r3.
Fixed CVE-2026-23343 in the Linux kernel.
Images with Nvidia 570 drivers have been deprecated as Nvidia officially stopped supporting these versions. You can use images with Nvidia 580 drivers instead.
You can use Filestore CSI driver to dynamically scale custom performance for zonal and regional Filestore instances.
For more information, see Dynamically scale Filestore performance using VolumeAttributesClass.
You can now use the Usage Insights dashboard in the Google Cloud console to monitor and analyze your billable usage for specific Firestore databases. Usage insights help you track granular usage data, optimize costs, and monitor historical trends.
To learn more, see the guide to analyze usage insights for Native mode and MongoDB compatibility mode.
Various bug fixes related to quota issues.
Various bug fixes related to quota issues.
Gemini Enterprise: Enhanced filtering for Google Chat data stores (Preview)
You can configure filters for your Google Chat data stores using either the Google Cloud console or the API. These filters allow you to define exactly which Google Chat data is accessible to the Assistant by including or excluding specific content.
This feature is in Public Preview and is applicable for federated search only. For more information, see Set up a Google Chat data store and Add filters to a Google Chat data store.
The validation of the HealthCheckPolicy custom resource from the
GKE Gateway API is more rigorous in GKE
version 1.34 and later. Existing HealthCheckPolicy resources that already
contain mismatched type fields in the config are exempted and continue to
function. However, updates to any existing policy must not introduce a
mismatched type field in the config or change currently mismatched
fields to new invalid values.
When the HealthCheckPolicy custom resource is validated, the type field
is now verified against the specified health check. For example, if
type: TCP is specified but httpHealthCheck is configured, then the fields
are mismatched and kubectl rejects the policy. However, for this same example,
if type: TCP is specified and tcpHealthCheck is configured, then the
fields are valid.
Earlier versions of GKE accept custom resources that don't have matching fields. If you use an earlier version, the type field is used and the configuration in the health check field is ignored.
For more details, see Configure health checks.
Requesters can schedule grant requests in Privileged Access Manager up to seven days in advance. This lets requesters align access with scheduled maintenance or on-call shifts.
This feature is in preview.
For more information, see Privileged Access Manager overview.
Version 1.0 of Bloom filters and JSON documents is Generally Available.
Spanner supports importing data from Cloud SQL for MySQL. This feature lets you migrate the schema and perform a one-time bulk data load to evaluate Spanner for your use case. For more information, see Import from Cloud SQL to Spanner.
This feature is generally available.
]]>Release 6.3.83 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.82 is now available for all regions.
]]>Fixed a problem with missing DAG description and schedule in the DAG UI which occurred in environments with Airflow 3 in some cases.
Fixed an issue where DAG descriptions and schedules occasionally weren't displayed in DAG UI for environments with Airflow 3.
New Airflow builds are available in Cloud Composer 3:
These builds are versions with an extended upgrade timeline.
New images are available in Cloud Composer 2:
These images are versions with an extended upgrade timeline.
The Maintenance page supports viewing maintenance activities for App Hub applications that you have created in App Hub or Application Design Center. This feature is in Preview.
Published service backends let you configure supported load balancers or regional Cloud Service Mesh to route traffic to published services through Private Service Connect endpoints.
For more information, see Published service backends.
This feature is in Preview.
Use Cloud Trace to troubleshoot your MCP server usage, tool failures, and latency causes. For more information, see Investigate MCP calls using Trace.
SQL cells
Generally available: You can use SQL cells to write, edit, and run SQL queries directly from your Colab Enterprise notebooks. For more information, see Use SQL cells.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) names remain unchanged.
The lightweight profiling mode for data profile scans is available in preview.
The lightweight mode provides low-latency profile scans that return results in seconds, making it ideal for grounding AI agent responses and interactive data exploration. For more information, see Profiling modes.
Datastream is now integrated with Knowledge Catalog. This integration lets you search for and browse your Datastream resources, such as streams, connection profiles, and connectivity configurations directly in Knowledge Catalog.
For more information, see the documentation.
From April 10, 2026, creating, running, and editing Gemini Cloud Assist investigations will only be available to users with a Premium Support contract or who have requested access through their account team. If you ran an investigation prior to April 10, 2026, the results of the investigation continue to be available to you in the Google Cloud console.
Gmail: Version 9.0
A new predefined widget has been added to the following action:
Tanium: Version 19.0
A new predefined widget has been added to the following action:
Cynet: Version 13.0
New predefined widgets have been added to the following actions:
Delete Hash In Hosts
Kill Hash In Hosts
Quarantine Hash In Hosts
Area1: Version 9.0
A new predefined widget has been added to the following action:
Azure Active Directory: Version 26.0
A new predefined widget has been added to the following action:
MX ToolBox: Version 14.0
A new predefined widget has been added to the following action:
Active Directory: Version 41.0
New predefined widgets have been added to the following actions:
Is User In Group
List User Groups
Cisco Threat Grid: Version 18.0
New predefined widgets have been added to the following actions:
Get Hash Associated Domains
Get Hash Associated IPs
Google Chronicle: Version 81.0
The following new action has been added:
Endgame: Version 15.0
New predefined widgets have been added to the following actions:
Collect Autoruns
Drivers Survey (Windows only)
Firewall Survey (Windows only)
Process Survey
Removable Media Survey (Windows only)
Software Survey (Windows only)
User Sessions Survey
AWS Identity and Access Management (IAM): Version 10.0
A new predefined widget has been added to the following action:
Carbon Black Response: Version 39.0
A new predefined widget has been added to the following action:
Carbon Black Protection: Version 13.0
A new predefined widget has been added to the following action:
McAfee ATD: Version 17.0
A new predefined widget has been added to the following action:
UnshortenMe: Version 9.0
A new predefined widget has been added to the following action:
CiscoUmbrella: Version 19.0
A new predefined widget has been added to the following action:
Microsoft Graph Mail: Version 40.0
A new predefined widget has been added to the following action:
Exabeam Advanced Analytics: Version 10.0
Introduced light theme support for the predefined widget of the following action:
Check Point SandBlast: Version 8.0
Introduced light theme support for predefined widgets of the following actions:
Query
Upload File
Palo Alto AutoFocus: Version 12.0
Introduced light theme support for predefined widgets of the following actions:
Hunt Domain
Hunt File
Hunt Ip
Hunt Url
XForce: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Get Hash Info
Get IP Info
Get IP malware
Get Url Info
Trend Micro Apex Central: Version 7.0
Introduced light theme support for predefined widgets of the following actions:
Create Entity UDSO
Create File UDSO
Enrich Entities
BulkWhoIs: Version 18.0
Introduced light theme support for the predefined widget of the following action:
Any.Run: Version 12.0
Introduced light theme support for the predefined widget of the following action:
Siemplify ThreatFuse: Version 19.0
Introduced light theme support for the predefined widget of the following action:
Google Cloud Policy Intelligence: Version 7.0
Introduced light theme support for the predefined widget of the following action:
MISP: Version 38.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Event Details
Get Related Events
ReversingLabs Titanium: Version 12.0
Introduced light theme support for the predefined widget of the following action:
MX ToolBox: Version 14.0
Introduced light theme support for predefined widgets of the following actions:
A Record Lookup
Blacklist Check
MX Record Lookup
Reverse DNS Lookup
Google Rapid Response (GRR): Version 11.0
Introduced light theme support for predefined widgets of the following actions:
Get Client Details
List Clients
List Launched Flows
Armis: Version 15.0
Introduced light theme support for the predefined widget of the following action:
Lastline: Version 9.0
Introduced light theme support for the predefined widget of the following action:
McAfee Mvision EPO: Version 11.0
Introduced light theme support for the predefined widget of the following action:
Office 365 Cloud App Security: Version 26.0
Introduced light theme support for predefined widgets of the following actions:
Get IP related activities
Get User related activities
SSL Labs: Version 11.0
Introduced light theme support for the predefined widget of the following action:
Qualys VM: Version 25.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Host
List Endpoint Detections
Exchange: Version 123.0
Introduced light theme support for predefined widgets of the following actions:
Get Account Out Of Facility Settings
Send Email And Wait
Microsoft Defender ATP: Version 31.0
Added Graph API V2 version support to the following actions:
Get User Related Alerts
List Alerts
Ping
Update Alert
Deprecated the following actions:
Get File Related Alerts
Get Machine Related Alerts
Added Graph API V2 version support to the following connector:
(REGRESSIVE) The connector must be updated by April 10, 2026.
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Execute Live Response Command
Get File Related Alerts
Get File Related Machines
Get Machine Logon Users
Get Machine Recommendations
Get Machine Related Alerts
Get Machine Vulnerabilities
Get User Related Alerts
Cisco AMP: Version 23.0
Introduced light theme support for predefined widgets of the following actions:
Get Computer Info
Get Computers By File Hash
Get Computers By File Name
Get Computers By Network Activity (Ip)
Get Computers By Network Activity (URL)
Isolate Machine
Unisolate Machine
HaveIBeenPwned: Version 10.0
Introduced light theme support for the predefined widget of the following action:
Symantec Blue Coat ProxySG: Version 7.0
Introduced light theme support for predefined widgets of the following actions:
Block Entities
Enrich Entities
Cybereason: Version 25.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Sensor Details
Is Probe Connected
Cofense Triage: Version 21.0
Introduced light theme support for predefined widgets of the following actions:
EnrichURL
Get Domain Details
Get Threat Indicator Details
Slack: Version 30.0
Introduced light theme support for predefined widgets of the following actions:
Send Advanced Message
Send Message
IPVoid: Version 12.0
Introduced light theme support for the predefined widget of the following action:
RSA NetWitness EDR: Version 9.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Endpoint
Get IOC Details
Microsoft Intune: Version 8.0
Introduced light theme support for the predefined widget of the following action:
Trend Micro DDAN: Version 6.0
Introduced light theme support for predefined widgets of the following actions:
Submit File
Submit File URL
Tenable.io: Version 17.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
List Endpoint Vulnerabilities
JoeSandbox: Version 11.0
Introduced light theme support for predefined widgets of the following actions:
Search Hash
Search Url
Endgame: Version 15.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Network Survey
System Survey
ThreatQ: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Enrich CVE
Enrich Email
Enrich Hash
Enrich IP
Enrich URL
Get Indicator Details
Get Malware Details
Link Entities
Link Entities To Object
List Entity Related Objects
Update Indicator Score
Update Indicator Status
RSA NetWitness Platform: Version 17.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Endpoint
Enrich File
Query NetWitness For Events Around Host
Query NetWitness For Events Around IP
Query NetWitness For Events Around User
McAfee TIEDXL: Version 9.0
Introduced light theme support for the predefined widget of the following action:
Symantec Endpoint Protection 14: Version 21.0
Introduced light theme support for the predefined widget of the following action:
FireEye AX: Version 9.0
Introduced light theme support for the predefined widget of the following action:
Splash: Version 7.0
Introduced light theme support for the predefined widget of the following action:
MalShare: Version 11.0
Introduced light theme support for the predefined widget of the following action:
Elastica CloudSOC: Version 8.0
Introduced light theme support for the predefined widget of the following action:
Amazon Macie: Version 10.0
Introduced light theme support for the predefined widget of the following action:
CiscoUmbrella: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Get Domain Security Info
Get Domain Status
Get Whois
Is Domain In Cisco Popularity List
SCCM: Version 21.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Computer Properties
Get Login History
Web Risk: Version 4.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Submit Entities
DShield: Version 8.0
Introduced light theme support for the predefined widget of the following action:
Tenable Security Center: Version 22.0
Introduced light theme support for predefined widgets of the following actions:
Enrich IP
Get Related Assets
Get Vulnerabilities for IP
ServiceNow: Version 63.0
Introduced light theme support for the predefined widget of the following action:
McAfee EPO: Version 37.0
Introduced light theme support for predefined widgets of the following actions:
Compare Server and Agent DAT
Get Agent Information
Get Dat Version
Get Endpoint Events
Get Events For Hash
Get Host IPS Status
Get Host Network IPS Status
Get Last Communication Time
Get McAfee Epo Agent Version
Get System Information
Get Virus Engine Agent Version
Run Full Scan
Update Mcafee Agent
RSA NetWitness: Version 20.0
Introduced light theme support for predefined widgets of the following actions:
Query NetWitness For Events Around Host
Query NetWitness For Events Around IP
Query NetWitness For Events Around User
Axonius: Version 7.0
Introduced light theme support for predefined widgets of the following actions:
Add Note
Enrich Entities
Automox: Version 8.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Execute Device Command
Execute Policy
Cylance: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Threat
Get Threat Devices
Get Threat Download Link
Anomali: Version 15.0
Introduced light theme support for the predefined widget of the following action:
TruSTAR: Version 9.0
Introduced light theme support for the predefined widget of the following action:
PhishingInitiative: Version 12.0
Introduced light theme support for the predefined widget of the following action:
Digital Shadows: Version 12.0
Introduced light theme support for predefined widgets of the following actions:
EnrichCVE
EnrichHash
EnrichIP
EnrichURL
iBoss: Version 14.0
Introduced light theme support for the predefined widget of the following action:
Google Cloud IAM: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Service Account IAM Policy
Rotate Service Account Keys
Set Service Account IAM Policy
Sumo Logic Cloud SIEM: Version 13.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Search Entity Signals
Microsoft Teams: Version 37.0
Introduced light theme support for predefined widgets of the following actions:
Create Chat
Send User Message
FortiAnalyzer: Version 12.0
Introduced light theme support for the predefined widget of the following action:
Sophos: Version 21.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Events Log
Get Services Status
Palo Alto Cortex XDR: Version 27.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Scan Endpoint
Cisco Threat Grid: Version 18.0
Introduced light theme support for the predefined widget of the following action:
Intezer: Version 14.0
Introduced light theme support for the predefined widget of the following action:
Recorded Future: Version 22.0
Introduced light theme support for predefined widgets of the following actions:
Enrich CVE
Enrich Hash
Enrich Host
Enrich IP
Enrich IOC
Enrich URL
Gmail: Version 9.0
Introduced light theme support for predefined widgets of the following actions:
Search For Emails
Wait For Thread Reply
Illusive Networks: Version 7.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Run Forensic Scan
VirusTotal: Version 42.0
Introduced light theme support for predefined widgets of the following actions:
Get Domain Report
Scan Hash
Scan IP
Scan URL
Upload And Scan Files
Anomali ThreatStream: Version 15.0
Introduced light theme support for the predefined widget of the following action:
ThreatConnect: Version 17.0
Introduced light theme support for the predefined widget of the following action:
Azure Active Directory: Version 26.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Host
Enrich User
Get Manager Contact Details
List Users
List User's Groups Membership
Revoke User Session
Splunk: Version 65.0
Introduced light theme support for the predefined widget of the following action:
Attivo: Version 10.0
Introduced light theme support for the predefined widget of the following action:
Cisco ISE: Version 16.0
Introduced light theme support for the predefined widget of the following action:
DeepSight: Version 11.0
Introduced light theme support for predefined widgets of the following actions:
Scan Domain
Scan Email
Scan File Name
Scan Hash
Scan IP
Scan URL
Symantec Email Security Cloud: Version 5.0
Introduced light theme support for the predefined widget of the following action:
GSuite: Version 26.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Get Extension Details
Get Group Details
Get Host Browser Details
List Group Privileges
List User Privileges
Revoke User Session
Search User Activity Events
SymantecESCC: Version 9.0
Introduced light theme support for the predefined widget of the following action:
Google Cloud Compute: Version 17.0
Introduced light theme support for the predefined widget of the following action:
FireEye HX: Version 23.0
Introduced light theme support for predefined widgets of the following actions:
Get Host Alert Groups
Get Host Info
Get List of File Acquisitions For Host
Is Contain Malware Alerts
Rapid7 InsightVm: Version 16.0
Introduced light theme support for the predefined widget of the following action:
McAfee Mvision EDRV2: Version 5.0
Introduced light theme support for the predefined widget of the following action:
HCL BigFix Inventory: Version 5.0
Introduced light theme support for the predefined widget of the following action:
SiemplifyUtilities: Version 29.0
Added support for a custom delimiter in the following action:
Nmap: Version 4.0
Introduced light theme support for the predefined widget of the following action:
VMware Carbon Black Enterprise EDR: Version 10.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Hash
Get Events Associated With Process by Process Guide
Process Search
Outpost24: Version 8.0
Introduced light theme support for the predefined widget of the following action:
PassiveTotal: Version 14.0
Introduced light theme support for predefined widgets of the following actions:
WhoIs Address Reputation
Whois Host Reputation
WhoIs Scan Address
WhoIs Scan Domain
Carbon Black Defense: Version 12.0
Introduced light theme support for predefined widgets of the following actions:
Get Device Info
Get Events
Get Processes
QRadar: Version 67.0
Introduced light theme support for predefined widgets of the following actions:
Similar Events Query
Similar Flows Query
SentinelOneV2: Version 49.0
Introduced light theme support for predefined widgets of the following actions:
Create Hash Blacklist Record
Create Hash Exclusion Record
Get Agent Status
Get Application List For Endpoint
Get Events For Endpoint Hours Back
Get Group Details
Get Hash Reputation
Zscaler: Version 13.0
Introduced light theme support for predefined widgets of the following actions:
Get Sandbox Report
Lookup Entity
McAfee Mvision EDR: Version 11.0
Introduced light theme support for the predefined widget of the following action:
Tanium: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Delete File
Enrich Entities
List Endpoint Events
Quarantine Endpoint
VMware Carbon Black Endpoint Standard Live Response: Version 10.0
Introduced light theme support for predefined widgets of the following actions:
Create Memdump
Delete File
Delete File from Cloud Storage
Download File
Execute File
Kill Process
List Files
List Files in Cloud Storage
List Processes
Put File
VSphere: Version 12.0
Introduced light theme support for the predefined widget of the following action:
Nozomi Networks: Version 10.0
Introduced light theme support for the predefined widget of the following action:
Active Directory: Version 41.0
Introduced light theme support for predefined widgets of the following actions:
Enrich entities
Get Manager Contact Details
Talos: Version 20.0
Introduced light theme support for predefined widgets of the following actions:
Get Reputation
WhoIs
Check Point Threat Reputation: Version 8.0
Introduced light theme support for predefined widgets of the following actions:
Get File Hash Reputation
Get Host Reputation
Get IP Reputation
Zabbix: Version 16.0
Introduced light theme support for the predefined widget of the following action:
FireEye Helix: Version 19.0
Introduced light theme support for the predefined widget of the following action:
Malware Domain List: Version 11.0
Introduced light theme support for the predefined widget of the following action:
AlienVault USM Appliance: Version 26.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Assets
Enrich Vulnerabilities
Alexa: Version 9.0
Introduced light theme support for the predefined widget of the following action:
AWS GuardDuty: Version 12.0
Introduced light theme support for predefined widgets of the following actions:
Get a Trusted IP List
Get Detector Details
Get Threat Intelligence Set Details
HTTP: Version 15.0
Introduced light theme support for the predefined widget of the following action:
BlueLiv: Version 13.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
List Entity Threats
Azure AD Identity Protection: Version 9.0
Introduced light theme support for the predefined widget of the following action:
Carbon Black Response: Version 39.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Binary
Enrich Process
Get System Info
Hosts By Process
List Processes
Falcon Sandbox: Version 21.0
Introduced light theme support for predefined widgets of the following actions:
Get Hash Scan Report
Scan URL
Submit File
CSV: Version 41.0
Introduced light theme support for predefined widgets of the following actions:
CSV Search by Entity
CSV Search by String
URLVoid: Version 14.0
Introduced light theme support for the predefined widget of the following action:
Harmony Mobile: Version 7.0
Introduced light theme support for the predefined widget of the following action:
Cloudflare: Version 8.0
Introduced light theme support for the predefined widget of the following action:
Carbon Black Protection: Version 13.0
Introduced light theme support for the predefined widget of the following action:
Jira: Version 56.0
Introduced light theme support for the predefined widget of the following action:
Microsoft Graph Mail Delegated: Version 17.0
Introduced light theme support for the predefined widget of the following action:
Trend Vision One: Version 9.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
Execute Custom Script
Isolate Endpoint
Submit File
Submit URL
Unisolate Endpoint
Internet Storm Center: Version 6.0
Introduced light theme support for the predefined widget of the following action:
AlienVaultTI: Version 14.0
Introduced light theme support for the predefined widget of the following action:
Google Threat Intelligence: Version 14.0
Migrated the following connector to new API endpoints:
Shodan: Version 17.0
Introduced light theme support for the predefined widget of the following action:
Cisco Vulnerability Management: Version 3.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
List Asset Vulnerabilities
ForeScout CounterACT: Version 6.0
Introduced light theme support for the predefined widget of the following action:
McAfee ESM: Version 46.0
Introduced light theme support for predefined widgets of the following actions:
Get Similar Events
Send Entity Query To ESM
LogRhythm: Version 23.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
List Entity Events
Mandiant ASM: Version 13.0
Introduced light theme support for the predefined widget of the following action:
Ivanti Endpoint Manager: Version 10.0
Introduced light theme support for predefined widgets of the following actions:
Enrich Entities
List Endpoint Vulnerabilities
Cuckoo: Version 14.0
Introduced light theme support for the predefined widget of the following action:
IntSights: Version 27.0
Introduced light theme support for the predefined widget of the following action:
Vectra: Version 13.0
Introduced light theme support for the predefined widget of the following action:
McAfee ATD: Version 17.0
Introduced light theme support for the predefined widget of the following action:
FortinetFortiSIEM: Version 10.0
Introduced light theme support for the predefined widget of the following action:
ThreatCrowd: Version 9.0
Introduced light theme support for the predefined widget of the following action:
APIVoid: Version 14.0
Introduced light theme support for predefined widgets of the following actions:
Get domain reputation
Get Ip Reputation
Get Screenshot
Get URL Reputation
Verify Email
McAfee Mvision EPOV2: Version 8.0
Introduced light theme support for the predefined widget of the following action:
VMRay: Version 19.0
Introduced light theme support for predefined widgets of the following actions:
Scan Hash
Scan URL
Google Chronicle: Version 81.0
Added support for CIDR matching to the following action:
When configuring extensions by using plugins or callouts, you can specify some request and connection attributes to forward to backend services. For more information, see supported attributes.
Private Service Connect consumers can configure supported load balancers or regional Cloud Service Mesh to access published services through Private Service Connect endpoints. This feature is available in Preview.
For more information, see Published service backends.
]]>Relaxed limitation on header name for Client IP resolution
The client IP can now be resolved from any header, not just the X-Forwarded-For header. The most common headers are X-Forwarded-For or True-Client-Ip.
For more information, see Client IP resolution.
You can use Gemini in Bigtable Studio to help you write GoogleSQL queries. This feature is available in Preview. For more information, see Write SQL with Gemini assistance.
Security & compliance in Cloud Hub is in Preview.
Generally available: Hyperdisk ML disks are supported by the following machine series:
Hyperdisk ML offers the highest throughput of all Google Cloud Hyperdisk types, up to 2 TiB/s (2,097,152 MiB/s). For more information, see Hyperdisk ML overview.
You can now specify a custom execution identity for data quality and data profile scans. By default, scans are executed using the Service Agent. You can now use a custom service account (Bring Your Own Service Account) or End-User Credentials (EUC). Using a custom execution identity lets you enforce the principle of least privilege, use fine-grained BigQuery access controls, and unify scan processing costs directly under BigQuery.
For more information, see Configure execution identity for data quality scans and Configure execution identity for data profile scans.
Filestore is integrated with Backup and Disaster Recovery (DR) Service allowing you to centrally manage your backups with advanced features for data protection. This feature is generally available for Filestore instances.
For more information, see Backups overview.
You can now use Gemini Code Assist to get AI-powered assistance in Firestore to generate MQL queries using natural language prompts. This feature is available in Preview.
VS Code Gemini Code Assist 2.77.1 now attributes agent mode logs to Gemini
Code Assist. In previous versions, agent mode logs are being attributed to
Gemini CLI instead of Gemini Code Assist. This discrepancy is resolved in the
latest release, and we recommend that you update to version 2.77.1 or higher
to ensure your usage metrics are correctly reported.
VS Code Gemini Code Assist 2.77.1 now attributes agent mode logs to Gemini
Code Assist. In previous versions, agent mode logs are being attributed to
Gemini CLI instead of Gemini Code Assist. This discrepancy is resolved in the
latest release, and we recommend that you update to version 2.77.1 or higher
to ensure your usage metrics are correctly reported.
Gemini Enterprise: Support for new actions
New actions are available for the following data stores:
For a list of actions for these data stores, see Supported actions.
You can now use Privileged Access Manager (PAM) to delete clusters in the private clouds.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2320000 | cos-117-18613-534-53 | cos-117-18613-534-53 release notes |
| 1.31.14-gke.1723000 | cos-117-18613-534-53 | cos-117-18613-534-53 release notes |
| 1.32.13-gke.1258000 | cos-117-18613-534-53 | cos-117-18613-534-53 release notes |
| 1.33.10-gke.1115000 | cos-121-18867-381-56 | cos-121-18867-381-56 release notes |
| 1.34.6-gke.1154000 | cos-125-19216-220-106 | cos-125-19216-220-106 release notes |
| 1.35.3-gke.1234000 | cos-125-19216-220-72 | cos-125-19216-220-72 release notes |
Starting with the Looker 26.8 release, which will release in May 2026, the following changes will occur:
Before your Looker instance is upgraded to the Looker 26.8 release, your admin must follow the steps in the Migrating users to service accounts documentation page. This is to ensure admins can either create or migrate service accounts from existing standard users if they require access to users' API credentials.
For more information, see the Discontinuing the admin capability to create, view, and manage API credentials for a standard user deprecation notice.
Key insights from Security Command Center are available on the Security & compliance page in Cloud Hub. This feature is available in Preview.
Google Kubernetes Engine (GKE) Gateway support for using extensions by using callouts to add custom logic into the load balancing processing path is in General Availability. For more information, see GKE extensions.
]]>You can delete up to 1,000 objects in a single request by using the Cloud Storage multi-object delete XML API. If you use Amazon S3-compatible tools or libraries, you can point your request to the Cloud Storage endpoint to use this feature with your existing workflows. For more information, see Delete objects and Delete multiple objects.
Google Cloud CLI lets you configure trace scopes, manage observability buckets, and set default observability settings. These features are in Public Preview. For more information, see the following documents:
Configure trace scopes by using the Google Cloud console, the Google Cloud CLI, Terraform, or the Observability API. For more information, see Create and manage trace scopes.
Manage trace storage by using the Google Cloud CLI or the Observability API. For more information, see Manage trace storage.
Configure default settings by using the Google Cloud CLI, Terraform, or the Observability API. For more information, see Set defaults for observability buckets.
M132 release
Gemini Cloud Assist has replaced the cloudaicompanion.instances.completeTask
IAM permission with geminicloudassist.agents.invoke. If you
have access to Gemini Cloud Assist through a custom IAM role,
you must update the role to continue having access. For more information, see the
deprecated IAM permissions
document.
Gateway API v1.5 is supported in GKE version 1.35.2-gke.1842000 and later. The GKE Gateway controller passes core conformance tests for this version of the Gateway API.
GKE managed DRANET is now Generally Available (GA) for GKE version 1.35.2-gke.1842000 or later.
GKE DRANET is a managed feature that implements the Kubernetes Dynamic Resource Allocation (DRA) API for high-performance networking. The GA release expands support beyond the preview phase to include the following hardware:
For more information, see Allocate network resources by using GKE managed DRANET.
The feature announced on November 7, 2025, providing faster log processing, has been rolled back. The rollback is due to an issue in an underlying dependency. The described performance improvements are not currently in effect.
Emerging Threats Center general availability
The Emerging Threats Center is now in General Availability (GA) and includes the following new features and enhancements:
For more information, see Emerging Threats Center overview and Emerging Threats Center detail view.
Emerging Threats Center general availability
The Emerging Threats Center is now in General Availability (GA) and includes the following new features and enhancements:
For more information, see Emerging Threats Center overview and Emerging Threats Center detail view.
]]>You can connect to Bigtable from Java applications and other reporting tools that support a generic JDBC adapter by using the Bigtable JDBC driver. This feature is generally available (GA).
You can use protocol buffer (protobuf) schemas to query individual fields within protobuf messages stored as bytes in Bigtable. You can query your protobuf data using GoogleSQL for Bigtable, continuous materialized views, logical views, or BigQuery external tables. This feature is generally available (GA).
You can use the Database Migration Service MCP server to enable agents and AI applications to view and manage running migration jobs. This feature is in Preview.
You can now ingest OTLP-formatted logs into Cloud Logging by using an OpenTelemetry Collector, an OTLP exporter, and the Telemetry API. For more information, see OTLP log ingestion overview. The Telemetry API for log ingestion is in Preview.
Live migration is generally available (GA) on Confidential VM instances that meet the following configuration criteria:
A C3D machine type
AMD SEV Confidential Computing technology
An operating system image that supports live migration
When you use min_ram or cpu_count resource hints for pipeline steps that
don't require accelerators, Auto VM Selection (Instance Flexibility) is enabled
automatically. With Auto VM Selection, workers are provisioned from a curated
list of machine types that meet your RAM and CPU requirements. For more
information, see Auto VM Selection for worker machine
types.
You can now use the Datastream remote MCP server to enable LLM agents to perform data-related tasks, such as managing and monitoring your streams, connection profiles, and stream objects.
This feature is in Preview.
Gemini Enterprise: Dropbox federated data store
The Dropbox federated data store is generally available (GA) in Gemini Enterprise.
For more information, see Set up a Dropbox data store.
Advance reporting dashboards 4.12
We've released version 4.12 of the advanced reporting dashboards.
Repeat contacts data added to advanced reporting dashboards
Repeat contacts data is now available in the following advanced reporting dashboards:
Real-time Queue Monitoring - Calls and Real-time Queue Monitoring - Chats: new Total Repeat Contacts tile. For more information, see Queue monitoring dashboards.
All Interactions - Calls and All Interactions - Chats: new Repeat Contact column in the Call Metric Detail and Chat Metric Detail tables.
Real-time Calls - Calls Connected and Real-time Chats - Chats Connected: new Repeat Contact column in the Connected Calls and Connected Chats tables.
New Total Queued Answered metric in the Chat Queue Metrics Explore
The Chat Queue Metrics Explore now includes the Total Queued Answered metric. This metric provides a precise count of chats answered from the queue, providing accurate Service Level Agreement (SLA) and answer rate calculations where the standard "handled" metric might not apply—for example, if a chat is answered and then immediately disconnected.
The following issues were addressed in this release:
Fixed an issue where fields for hourly and 30-minute intervals in call queue metrics didn't display detailed data over long date ranges.
Fixed an issue where the Teams Filter filter displayed incorrect data.
Fixed an issue where calls that started at a specific time didn't appear in their corresponding time windows.
Fixed an issue in the Agent Activity dashboard where the Created By column attributed status changes to an agent when an administrator performed the changes.
Fixed an issue where historical call and chat metrics displayed incorrect timestamps.
On the Real-time Queue Monitoring - Calls and Real-time Queue Monitoring - Chats dashboards, in the Historical Data tables, the Avg CSAT column was renamed CSAT.
Fixed an issue on the Channel Interval - Calls and Channel Interval - Chats dashboards where drill-down views in the trend tiles displayed incorrect information or were empty.
Fixed an issue in the Queue Group Performance - All dashboard where blue highlighting wasn't applied to populated fields in the Queue Group Performance Calls and Queue Group Performance Chats tables.
Search query editor enhancements
Google SecOps has enhanced the search query editor to provide intelligent auto-suggestions and improved error handling.
For more information, see Use auto-suggestions to build queries.
Health Hub
This feature is currently in Preview.
The Health Hub is the central location in Google Security Operations for you to monitor the status and health of all configured data sources. The Health Hub provides crucial information on data sources and log types, offering the context needed to diagnose and remediate data pipeline issues.
The Health Hub includes information about the following:
For more information, see Use the Health Hub.
Search query editor enhancements
Google SecOps has enhanced the search query editor to provide intelligent auto-suggestions and improved error handling.
For more information, see Use auto-suggestions to build queries.
Health Hub
This feature is currently in Preview.
The Health Hub is the central location in Google Security Operations for you to monitor the status and health of all configured data sources. The Health Hub provides crucial information on data sources and log types, offering the context needed to diagnose and remediate data pipeline issues.
The Health Hub includes information about the following:
For more information, see Use the Health Hub.
Organization Policy Service custom constraints are available for managed workload identity and Workload Identity Federation. You can use custom constraints to control how managed workload identity and Workload Identity Federation are used in your organization. For more information, see Custom organization policy constraints for managed workload identity and Custom organization policy constraints for Workload Identity Federation.
The Table Visualization Improvements preview feature is now available and is disabled by default.
When this preview feature is enabled, you can use the following features for table visualizations:
You can now create tag keys and tag bindings with dynamic values using the Google Cloud console. You can also use a new unified API and Google Cloud CLI to add or update tags on a resource.
For more information, see Create and define a new tag.
Parameter Manager supports the latest identifier, which lets you fetch the
most recent parameter value without specifying a version ID. When you use the
gcloud CLI or REST API, you can use latest to retrieve the most recent version
of a parameter.
For more information, see Access a parameter version.
]]>API keys are available in Preview.
Service Usage is available in Preview.
API keys are available in Preview.
Service Usage is available in Preview.
The QueryData tool lets you to query the data in your database using conversational language and build data agents. For more information, see QueryData tool overview. This feature is available in (Preview).
The preview release increases the accuracy of SQL generation with value search queries which match values and their context within a database. Value search queries trigger automatically. QueryData also adds support for Parameterized secure views (PSVs) to help secure applications that use natural language queries. For more information, see Secure and control access to application data using parameterized secure views.
Agent Registry integration support for MCP metadata (Preview)
API hub now includes a managed integration with Agent Registry to automatically synchronize Model Context Protocol (MCP) servers and tools metadata. This feature enables AI agents to discover and interact with the APIs registered in your hub without manual configuration.
This feature is in Public Preview. For more information, see Manage Agent Registry integration.
Correction to April 2, 2026 release note: Deployment disruption for Apigee Drupal Portal via Google Cloud Marketplace
For the deployment disruption announced on April 2, the announcement noted that deployment and management functionality using Google Cloud Deployment Manager would definitely be unavailable during the transition. This statement is incorrect. The functionality might be unavailable.
See the Known issue for more information.
On April 6th, 2026, we released an updated version of Apigee.
This change introduces the new apigee.coreServiceAgent IAM role for
Apigee. Effective immediately, use apigee.coreServiceAgent instead of the
apigee.serviceAgent role.
For information on the new role, see
apigee.coreServiceAgent.
You can manually prewarm images in Artifact Registry to reduce the cold-start latency for deployments. This feature is only available using the API.
The QueryData tool lets you to query the data in your database using conversational language and build data agents. For more information, see QueryData tool overview. This feature is available in (Preview).
The preview release increases the accuracy of SQL generation with value search queries which match values and their context within a database. Value search queries trigger automatically.
If the storage capacity of a Cloud SQL instance is larger than your application needs, then you can manually reduce, or shrink, your storage capacity to a smaller size.
Depending on underlying disk size, storage shrink operations might incur considerable downtime. If your instance requires limited downtime, rather than using storage shrink capabilities, we recommend migrating your data to a new, smaller instance using Database Migration Service.
For more information, see About storage shrink.
If the storage capacity of a Cloud SQL instance is larger than your application needs, then you can manually reduce, or shrink, your storage capacity to a smaller size.
Depending on underlying disk size, storage shrink operations might incur considerable downtime. If your instance requires limited downtime, rather than using storage shrink capabilities, we recommend migrating your data to a new, smaller instance using Database Migration Service.
For more information, see About storage shrink.
The QueryData tool lets you to query the data in your database using conversational language and build data agents. For more information, see QueryData tool overview. This feature is available in (Preview).
The preview release increases the accuracy of SQL generation with value search queries which match values and their context within a database. Value search queries trigger automatically.
If the storage capacity of a Cloud SQL instance is larger than your application needs, then you can manually reduce, or shrink, your storage capacity to a smaller size.
Depending on underlying disk size, storage shrink operations might incur considerable downtime. If your instance requires limited downtime, rather than using storage shrink capabilities, we recommend migrating your data to a new, smaller instance using Database Migration Service.
For more information, see About storage shrink.
Cloud SQL for SQL Server now supports SQL Server 2025 (GA):
For more information, see Database versions and version policies and Choose a machine series.
Cloud SQL for SQL Server integration with Microsoft Entra ID (GA) provides centralized identity and access management (IAM) for your databases using your existing Microsoft Entra ID tenant.
You can now use Storage batch operations to update object contexts for multiple objects in a single job. You can clear all existing contexts from the specified objects, remove contexts with specific keys, or update and insert new context key-value pairs. For more information, see Create and manage batch operation jobs.
Object contexts are now
generally available.
You can attach key-value pairs to your objects to categorize, track, and search
your data. Object contexts are preserved by default during copy, rewrite, and
compose operations. You can help control this behavior by using the
dropContextGroups
JSON API parameter or by providing new contexts in the request.
You can automatically redirect and restart stopped workstations by configuring
the workstation_launch_url Workstation cluster field. To set a custom URL or
use the built-in Google Cloud Console launcher,
update your cluster.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Fixed CVE-2024-43826 in the Linux kernel.
Fixed CVE-2025-38704 in the Linux kernel.
Fixed CVE-2025-39748 in the Linux kernel.
Fixed CVE-2025-39764 in the Linux kernel.
Fixed CVE-2025-40135 in the Linux kernel.
Fixed CVE-2025-68206 in the Linux kernel.
Fixed CVE-2025-68239 in the Linux kernel.
Fixed CVE-2025-71161 in the Linux kernel.
Fixed CVE-2026-23004 in the Linux kernel.
Fixed CVE-2026-23050 in the Linux kernel.
Fixed CVE-2026-23138 in the Linux kernel.
Fixed CVE-2026-23245 in the Linux kernel.
Fixed CVE-2026-23270 in the Linux kernel.
Fixed CVE-2026-23271 in the Linux kernel.
Fixed CVE-2026-23277 in the Linux kernel.
Fixed CVE-2026-23340 in the Linux kernel.
Fixed CVE-2026-23397 in the Linux kernel.
Fixed CVE-2026-23398 in the Linux kernel.
Fixed CVE-2026-23412 in the Linux kernel.
Fixed CVE-2026-23413 in the Linux kernel.
Fixed CVE-2026-23414 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.161 | v24.0.9 | v1.7.27 | See List |
Fixed CVE-2025-38192 in the Linux kernel.
Fixed CVE-2025-40135 in the Linux kernel.
Fixed CVE-2025-68206 in the Linux kernel.
Fixed CVE-2025-68239 in the Linux kernel.
Fixed CVE-2025-68265 in the Linux kernel.
Fixed CVE-2025-71161 in the Linux kernel.
Fixed CVE-2026-23100 in the Linux kernel.
Fixed CVE-2026-23113 in the Linux kernel.
Fixed CVE-2026-23245 in the Linux kernel.
Fixed CVE-2026-23270 in the Linux kernel.
Fixed CVE-2026-23271 in the Linux kernel.
Fixed CVE-2026-23277 in the Linux kernel.
Fixed CVE-2026-23381 in the Linux kernel.
Fixed CVE-2026-23397 in the Linux kernel.
Fixed CVE-2026-23398 in the Linux kernel.
Fixed KCTF-9df9578 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.7 | See List |
Fixed CVE-2025-40135 in the Linux kernel.
Fixed CVE-2025-68206 in the Linux kernel.
Fixed CVE-2025-68239 in the Linux kernel.
Fixed CVE-2025-71161 in the Linux kernel.
Fixed CVE-2026-23004 in the Linux kernel.
Fixed CVE-2026-23050 in the Linux kernel.
Fixed CVE-2026-23138 in the Linux kernel.
Fixed CVE-2026-23245 in the Linux kernel.
Fixed CVE-2026-23270 in the Linux kernel.
Fixed CVE-2026-23271 in the Linux kernel.
Fixed CVE-2026-23277 in the Linux kernel.
Fixed CVE-2026-23388 in the Linux kernel.
Fixed CVE-2026-23391 in the Linux kernel.
Fixed CVE-2026-23397 in the Linux kernel.
Fixed CVE-2026-23398 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.67 | v27.5.1 | v2.2.2 | See List |
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.1 | See List |
Upgraded sys-apps/iproute2 to version 6.18.0.
Fixes a kernel panic in virtio_pci teardown when virtually queues are conditionally skipped.
Fixed a kernel panic in virtio_pci teardown when virtually queues are conditionally skipped.
Fixed CVE-2026-33997 and CVE-2026-34040 in Docker.
Fixed CVE-2024-14027 in the Linux kernel.
Fixed KCTF-7cb9a23 in the Linux kernel.
Fixed CVE-2026-23270 in the Linux kernel.
Upgraded sys-apps/iproute2 to version 6.18.0.
Fixed KCTF-7cb9a23 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.5 | See List |
Made it so that /dev/hugepages is mounted as noexec for cchost boards.
Made it so that /mnt/disks is mounted as noexec for cchost boards.
Made it so that /run is mounted as noexec for cchost boards.
Upgraded sys-apps/iproute2 to version 6.18.0.
Fixed a kernel panic in virtio_pci teardown when virtually queues are conditionally skipped.
Fixed CVE-2024-14027 in the Linux kernel.
Fixed CVE-2026-23270 in the Linux kernel.
Fixed CVE-2026-23304 in the Linux kernel.
Fixed CVE-2026-33997 and CVE-2026-34040 in Docker.
Fixed KCTF-7cb9a23 in the Linux kernel.
On April 8, 2026, Gemini Cloud Assist is replacing the
cloudaicompanion.instances.completeTask IAM permission with
geminicloudassist.agents.invoke. Updates to standard IAM roles
will be done automatically, but if you have access to Gemini Cloud Assist
through a custom IAM role, you must update the role before
April 8, 2026 to ensure continued access. For more information, see the
deprecated IAM permissions
document.
Metadata search for RAG Engine
Use schema-based metadata search in Vertex AI RAG Engine. You can define a metadata schema for a corpus, attach metadata to files within that corpus, and use this metadata to filter contexts during retrieval. For more information, see Filter with metadata search.
Cloud Armor preconfigured rules support ModSecurity Core Rule Set (CRS) 4.22 as a rule source. For more information, see Tuning Google Cloud Armor WAF rules. This feature is available in Preview.
Updates to search query limits and error messaging
Google SecOps has updated search query limits for programmatic and web interface access:
For more information, see Search limits and quotas
v1 Cloud Storage Feed Types (GCS, S3, SQS, Azure)
The v1 feed types for GOOGLE_CLOUD_STORAGE, AMAZON_S3, AMAZON_SQS, and AZURE_BLOBSTORE are deprecated and will be discontinued on March 15, 2027. The new v2 feed types uses the Google Cloud Storage Transfer Service (STS) to provide improved performance, scalability, and reliability.
To ensure continued ingestion, transition your feeds before the March 15, 2027 shutdown date:
You can also self-migrate by creating new feeds using v2 feed types to substitute your existing feeds using v1 feed types by following the steps documented in our feed configuration guides before March 15, 2027.
Key Dates:
For more information, see Feature deprecations.
Updates to search query limits and error messaging
Google SecOps has updated search query limits for programmatic and web interface access:
For more information, see Search limits and quotas
v1 Cloud Storage Feed Types (GCS, S3, SQS, Azure)
The v1 feed types for GOOGLE_CLOUD_STORAGE, AMAZON_S3, AMAZON_SQS, and AZURE_BLOBSTORE are deprecated and will be discontinued on March 15, 2027. The new v2 feed types uses the Google Cloud Storage Transfer Service (STS) to provide improved performance, scalability, and reliability.
To ensure continued ingestion, transition your feeds before the March 15, 2027 shutdown date:
You can also self-migrate by creating new feeds using v2 feed types to substitute your existing feeds using v1 feed types by following the steps documented in our feed configuration guides before March 15, 2027.
Key Dates:
For more information, see Feature deprecations.
You can use the Memorystore for Redis remote MCP server. This server lets you connect to Memorystore for Redis instances from LLMs, AI applications, and AI-enabled development platforms. This feature is available in Preview.
You can use the Memorystore for Valkey remote MCP server. This server lets you connect to Memorystore for Valkey instances from LLMs, AI applications, and AI-enabled development platforms. This feature is available in Preview.
Pub/Sub now offers the AI Inference Single Method Transform (SMT). This SMT lets you get inferences on Pub/Sub messages from Vertex AI models. The model's inferences are added to each message, making them available for downstream processing along with the original message data.
The change is being rolled out in a phased manner over the rest of the week. For more information, see AI Inference SMT. This feature is generally available.
The QueryData tool lets you to query the data in your database using conversational language and build data agents. For more information, see QueryData tool overview. This feature is available in (Preview).
The preview release increases the accuracy of SQL generation with value search queries which match values and their context within a database. Value search queries trigger automatically.
]]>Certificate Manager certificates are available in Google Cloud console while provisioning a load balancer.
You can select a certificate map for the following load balancers:
You can select a Certificate Manager certificate for the following load balancers:
This feature is in General availability.
Release 6.3.82 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
Playbook Condition and Multi-Choice Question Flows
The maximum number of branches supported in Playbook Conditions and Multiple Choice Questions has been increased from 6 to 20. This allows for more complex branching logic within a single step.
For more information, see Use flows in playbooks.
]]>Playbook Condition and Multi-Choice Question Flows
The maximum number of branches supported in Playbook Conditions and Multiple Choice Questions has been increased from 6 to 20. This allows for more complex branching logic within a single step.
For more information, see Use flows in playbooks.
Release 6.3.81 is now available for all regions.
]]>The gcloud beta alloydb connect
command is now available in
Preview. This command
provides a simplified way to connect securely to AlloyDB
instances by using the AlloyDB Auth Proxy and psql. For more information,
see Connect using gcloud CLI.
The Node.js buildpack supports the Bun package manager in General Availability. For more information, see Building a Node.js application.
Cloud Logging adds support for the ca multi-region. For a complete list
of supported regions, see Supported regions.
Application Monitoring has added a Services and Workloads tab, which lists your registered and discovered services and workloads. From this tab, you can do the following:
Agent or
MCP server.To learn more, see the following:
Dataproc and Google Cloud Serverless for Apache Spark are now unified under the Managed Service for Apache Spark brand. This change consolidates our managed Spark deployment options into a single umbrella brand that includes the full breadth of our Spark capabilities. No existing functionality is being removed as part of this change, and there will be no impact to the Dataproc API, client library, CLI, or IAM names.
Gemini Enterprise: Jira and Confluence federated data stores
The Jira and Confluence federated data stores are generally available (GA) in Gemini Enterprise.
For more information, see:
Gemma 4 26B A4B IT is available as an experimental launch in Model Garden. This is an open model built by Google DeepMind. Gemma 4 models are multimodal, handling text and image input and generating text output. Gemma 4 26B A4B IT is available as a managed API in Model Garden. To learn more, see Gemma 4 26B A4B IT.
Vertex AI RAG Engine Serverless mode
Vertex AI RAG Engine Serverless mode is now available in public preview. Serverless mode provides a fully managed database for storing RAG resources that abstracts away database provisioning and scaling. You can seamlessly switch between Serverless mode and Spanner mode, which provides dedicated, isolated database instances.
For more information, see the following:
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ABNORMAL_SECURITY)AI_HUNTER)AIX_SYSTEM)APACHE)CASSANDRA)ARUBA_WIRELESS)ARUBA_EDGECONNECT_SDWAN)AUTH_ZERO)AWS_AURORA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)AWS_CLOUDWATCH)AWS_VPC_FLOW)AWS_WAF)AZURE_AD)AZURE_AD_AUDIT)AZURE_FRONT_DOOR)AZURE_SQL)BOMGAR)BEYONDTRUST_BEYONDINSIGHT)BLUECOAT_WEBPROXY)BROADCOM_SUPPORT_PORTAL)CHECKPOINT_HARMONY)CHRONICLE_SOAR_AUDIT)CISCO_ASA_FIREWALL)CISCO_EMAIL_SECURITY)CISCO_ISE)CISCO_MERAKI)CISCO_SECURE_ACCESS)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)UMBRELLA_DNS)CISCO_WSA)GCP_DNS)GCP_CLOUDSQL)CLOUDFLARE)CLOUDFLARE_WARP)CODE42_INCYDR)CS_ALERTS)CS_EDR)CS_STREAM)CYBERARK_PAM)CYBEREASON_EDR)CYJAX_THREAT_INTELLIGENCE)CTIX)DATABRICKS)DUO_AUTH)ELASTIC_DEFEND)ESET_AV)F5_ASM)F5_BIGIP_APM)FIREEYE_EMPS)FIREEYE_ETP)FIREEYE_NX)FORESCOUT_NAC)FORGEROCK_IDENTITY_CLOUD)FORTINET_FORTIANALYZER)GITHUB)GTI_IOC)CLEARPASS)HUAWEI_SWITCH)IBM_DATAPOWER)IBM_SAFENET)IBM_WEBSPHERE_APP_SERVER)IMPERVA_ABP)IMPERVA_SECURESPHERE)JUNIPER_FIREWALL)KOLIDE)KUBERNETES_AUDIT)KUBERNETES_NODE)AUDITD)MARIA_DB)MCAFEE_EPO)MCAFEE_SKYHIGH_CASB)MCAFEE_WEBPROXY)AZURE_ACTIVITY)MICROSOFT_DEFENDER_CLOUD_ALERTS)MICROSOFT_GRAPH_ALERT)IIS)MICROSOFT_SQL)MIMECAST_MAIL_V2)LOOKOUT_MOBILE_ENDPOINT_SECURITY)MOBILEIRON)NETAPP_ONTAP)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)OBSIDIAN)OFFICE_365)OORT)ORACLE_DB)ORCA)PAN_CORTEX_XDR_EVENTS)PAN_FIREWALL)PAN_PRISMA_CA)POSTFIX_MAIL)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)PROOFPOINT_TRAP)RADWARE_FIREWALL)REDHAT_OPENSHIFT)SALESFORCE)SAP_CHANGE_DOCUMENT)SAP_GATEWAY)SAP_HANA_AUDIT)SAP_SECURITY_AUDIT)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_SENSITIVE_DATA_RISK)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)SNYK_SDLC)SURICATA_EVE)SYMANTEC_EDR)SYSDIG)TENABLE_ADS)THREATCONNECT_IOC_V3)TRELLIX_HX_ALERTS)TRELLIX_HX_AUDIT)TRELLIX_HX_ES)TRELLIX_HX_HOSTS)TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)TRENDMICRO_VISION_ONE_WORKBENCH)TRENDMICRO_APEX_CENTRAL)TRENDMICRO_STELLAR)UBIKA_WAF)NIX_SYSTEM)VARONIS)VMWARE_AVINETWORKS_IWAF)VMWARE_ESX)VMWARE_HORIZON)WALLIX_BASTION)WINDOWS_DNS)WINEVTLOG)WINEVTLOG_XML)WIZ_IO)BRO_JSON)ZSCALER_WEBPROXY)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ACTION1)CDNETWORKS_CLOUD_SECURITY)CLAUDE_COMPLIANCE_LOGS)DELL_RECOVERPOINT)IBM_STORWIZE)LEAPXPERT_AUDIT)ORACLE_KEY_VAULT_AUDIT_LOGS)RSA_CLOUD)SERVICENOW_ANTIVIRUS_ACTIVITY)SERVICENOW_ATTACHMENT)SERVICENOW_EMAIL)VERSA_DIRECTOR)ZPE_SYSTEMS_NODEGRID)Google Security Operations has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ABNORMAL_SECURITY)AI_HUNTER)AIX_SYSTEM)APACHE)CASSANDRA)ARUBA_WIRELESS)ARUBA_EDGECONNECT_SDWAN)AUTH_ZERO)AWS_AURORA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)AWS_CLOUDWATCH)AWS_VPC_FLOW)AWS_WAF)AZURE_AD)AZURE_AD_AUDIT)AZURE_FRONT_DOOR)AZURE_SQL)BOMGAR)BEYONDTRUST_BEYONDINSIGHT)BLUECOAT_WEBPROXY)BROADCOM_SUPPORT_PORTAL)CHECKPOINT_HARMONY)CHRONICLE_SOAR_AUDIT)CISCO_ASA_FIREWALL)CISCO_EMAIL_SECURITY)CISCO_ISE)CISCO_MERAKI)CISCO_SECURE_ACCESS)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)UMBRELLA_DNS)CISCO_WSA)GCP_DNS)GCP_CLOUDSQL)CLOUDFLARE)CLOUDFLARE_WARP)CODE42_INCYDR)CS_ALERTS)CS_EDR)CS_STREAM)CYBERARK_PAM)CYBEREASON_EDR)CYJAX_THREAT_INTELLIGENCE)CTIX)DATABRICKS)DUO_AUTH)ELASTIC_DEFEND)ESET_AV)F5_ASM)F5_BIGIP_APM)FIREEYE_EMPS)FIREEYE_ETP)FIREEYE_NX)FORESCOUT_NAC)FORGEROCK_IDENTITY_CLOUD)FORTINET_FORTIANALYZER)GITHUB)GTI_IOC)CLEARPASS)HUAWEI_SWITCH)IBM_DATAPOWER)IBM_SAFENET)IBM_WEBSPHERE_APP_SERVER)IMPERVA_ABP)IMPERVA_SECURESPHERE)JUNIPER_FIREWALL)KOLIDE)KUBERNETES_AUDIT)KUBERNETES_NODE)AUDITD)MARIA_DB)MCAFEE_EPO)MCAFEE_SKYHIGH_CASB)MCAFEE_WEBPROXY)AZURE_ACTIVITY)MICROSOFT_DEFENDER_CLOUD_ALERTS)MICROSOFT_GRAPH_ALERT)IIS)MICROSOFT_SQL)MIMECAST_MAIL_V2)LOOKOUT_MOBILE_ENDPOINT_SECURITY)MOBILEIRON)NETAPP_ONTAP)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)OBSIDIAN)OFFICE_365)OORT)ORACLE_DB)ORCA)PAN_CORTEX_XDR_EVENTS)PAN_FIREWALL)PAN_PRISMA_CA)POSTFIX_MAIL)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)PROOFPOINT_TRAP)RADWARE_FIREWALL)REDHAT_OPENSHIFT)SALESFORCE)SAP_CHANGE_DOCUMENT)SAP_GATEWAY)SAP_HANA_AUDIT)SAP_SECURITY_AUDIT)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_SENSITIVE_DATA_RISK)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)SNYK_SDLC)SURICATA_EVE)SYMANTEC_EDR)SYSDIG)TENABLE_ADS)THREATCONNECT_IOC_V3)TRELLIX_HX_ALERTS)TRELLIX_HX_AUDIT)TRELLIX_HX_ES)TRELLIX_HX_HOSTS)TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)TRENDMICRO_VISION_ONE_WORKBENCH)TRENDMICRO_APEX_CENTRAL)TRENDMICRO_STELLAR)UBIKA_WAF)NIX_SYSTEM)VARONIS)VMWARE_AVINETWORKS_IWAF)VMWARE_ESX)VMWARE_HORIZON)WALLIX_BASTION)WINDOWS_DNS)WINEVTLOG)WINEVTLOG_XML)WIZ_IO)BRO_JSON)ZSCALER_WEBPROXY)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ACTION1)CDNETWORKS_CLOUD_SECURITY)CLAUDE_COMPLIANCE_LOGS)DELL_RECOVERPOINT)IBM_STORWIZE)LEAPXPERT_AUDIT)ORACLE_KEY_VAULT_AUDIT_LOGS)RSA_CLOUD)SERVICENOW_ANTIVIRUS_ACTIVITY)SERVICENOW_ATTACHMENT)SERVICENOW_EMAIL)VERSA_DIRECTOR)ZPE_SYSTEMS_NODEGRID)Extended attributes for Workforce Identity Federation are deprecated. For group mapping, we recommend using SCIM instead of extended attributes. For more information, see IAM deprecations.
Hybrid Subnets is available in General Availability. Hybrid subnet routing lets a VPC network share a CIDR block with a connected on-premises network. This configuration helps you migrate workloads to Google Cloud without needing to change any IP addresses. During migration, workloads that have migrated to your VPC network can communicate with those remaining in the on-premises network by using internal IP addresses. After all workloads have migrated, you can disable hybrid subnet routing to restore normal routing behavior.
For information about pricing for Hybrid Subnets, see Virtual Private Cloud pricing.
]]>You can now enable Advanced Query Insights on primary clusters which have secondary clusters configured. Advanced Query Insights is not supported on secondary clusters. If you perform a switchover, you must re-enable Advanced Query Insights on the new primary cluster.
Deployment disruption for Apigee Drupal Portal via Google Cloud Marketplace
Google Cloud Deployment Manager was deprecated as of March 31, 2026. We are currently transitioning the Apigee Drupal Portal Marketplace solution to use Infrastructure Manager. During this transition period, some deployment and management functionalities are unavailable.
Impact:
gcloud deployment-manager tool.Workaround & Resolution: Any configuration changes or management tasks must be performed directly on the individual Google Cloud resources (Compute Engine, Cloud SQL, etc.) rather than through the Marketplace UI.
We are actively working to release the updated Infrastructure Manager-based solution.
The filter capabilities for log views have been extended to include support for disjunctive clauses, negation statements, and labels. To learn more, see Filters for log views.
Application Monitoring has added support for the following resources:
Additionally, dashboards for Kubernetes workloads display L4 and L7 traffic metrics, when both are available. For more information, see Application Monitoring supported infrastructure.
Cloud SQL for SQL server read pools are now generally available and provide operational simplicity and scaling for your read workloads.
Read pools provide a single endpoint in front of up to seven read pool nodes and automatically load balance traffic.
You can scale your read pool in several ways:
Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports between 1 and 7 read pool nodes.
Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.
For more information, see About read pools.
Managed Cloud Service Mesh using the TRAFFIC_DIRECTOR implementation now
supports a limited implementation of the EnvoyFilter API. To learn about the
supported fields, extensions, and how to use EnvoyFilter for features like
local rate limiting see
Data plane extensibility with EnvoyFilter.
To troubleshoot any issue while configuring, see Resolving data plane extensibility issues.
You can configure which encryption types are allowed or prohibited for creating new objects in a bucket. For more information, see Enforce or restrict the encryption types for a bucket.
Cluster Toolkit version v1.86.0 is available. This release implements
and configures the Google Container Filesystem (GCFS) to stream images at the
cluster level for Google Kubernetes Engine. This release also migrates the
kubectl_apply_manifest module to Helm and upgrades the command-line interface
(DCGMI) for the NVIDIA Data Center GPU Manager (DCGM).
For more information about version v1.86.0, see the Release announcement on GitHub.
Preview: To control the use of the deprecated container startup agent, an option for
deploying containers on Compute Engine instances, you can enforce the
constraints/compute.managed.disableVmsWithContainerStartupAgent organization
policy constraint. This constraint prevents the creation of
Compute Engine instances that use the container startup
agent and the gce-container-declaration metadata.
You can also enforce this organization policy in dry-run mode to identify projects that use the deprecated metadata, without blocking resource creation.
For more information, see Prevent the creation of VMs that use the container metadata and Migrate containers deployed on VMs during VM creation.
The
Dataform folders and repositories
feature is now
generally available
(GA). This feature lets you organize code assets like notebooks and saved
queries into a hierarchical structure with IAM policy inheritance. This release
also introduces deleteTree API methods for deleting folders and
team folders.
New Dataproc on Compute Engine subminor image versions:
3.9.5 in image version 2.3.NotebookLM Enterprise: Autocomplete for email addresses and group names when sharing notebooks
When sharing notebooks with users and groups, autocomplete is available to help users quickly select the correct email addresses and group names.
If your organization uses the Google Identity Provider, no action is required. If your organization uses Third-party identity and Microsoft Entra ID, a Gemini Enterprise administrator must provision a System for Cross-domain Identity Management (SCIM) tenant for Workforce Identity Federation to enable autocomplete. For more information about identity setup, see Set up NotebookLM Enterprise.
This feature is generally available (GA). For more information, see Share a notebook.
Veo 3.1 Lite
Veo 3.1 Lite is available in public preview. This release is our most cost-efficient Veo on Vertex AI model.
For more information, see 3.1 Lite Generate
Gemini 2.5 model retirement dates updated
The retirement dates for Gemini 2.5 Pro, Gemini 2.5 Flash-Lite, and Gemini 2.5 Flash have been updated to October 16, 2026. For more information, see Model versions and lifecycle.
Google Cloud CCaaS 4.16
We've released version 4.16 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Agent Assist is available for calls and chats that are unassociated with a queue
You can now turn on Agent Assist for calls and chats at the team level. That means that Agent Assist is available for interactions that aren't associated with a queue, such as direct inbound calls and outbound calls with no queue selected.
Administrators: In the Settings > Users & Teams > Manage Users & Teams > edit TEAM_NAME pane, there's a new Agent Assist section.
For more information, see Configure Agent Assist at the team level.
New HubSpot CRM ticket view: Help desk view
You can now configure which CRM ticket view your HubSpot integration uses: Standard view, or the new real-time Help desk view.
Administrators: In the Settings > Developer Settings > select HubSpot pane, there's a new CRM Ticket View section.
For more information, see Configure HubSpot.
Play pre-recorded audio for virtual agents
Dialogflow lets virtual agents respond with pre-recorded audio. This lets you use high-quality audio files instead of standard text-to-speech. This capability is available for all voice channels, including inbound and outbound calls. It's available for support virtual agents, task virtual agents, and post-session virtual agents. For more information, see Play pre-recorded audio.
Configure the ringing timeout for virtual agent transfers to SIP endpoints
Twilio users can configure the ringing timeout for outbound calls that virtual
agents transfer to SIP endpoints. Add the sip_ring_timeout field to the
virtual agent's custom payload to set the ringing period for up to 600 seconds.
This allows calls to internal extensions or Unified Communications (UC)
destinations sufficient time to be answered before disconnection. For more
information, see Transfer a call to a SIP
endpoint.
The following issues were addressed in this release:
Fixed an issue with React Native integrations where the email adapter wouldn't load. TBD - confirm that there's only one bug related to the email adapter not loading with React Native integrations.
Fixed an issue where enabling chat redaction caused the unredacted messages to be redacted in the chat adapter.
Fixed an issue where calls continued to be recorded after being transferred to a third-party number, even when the Continue Call recording to Third Party Numbers after the agent leaves the call setting was cleared.
Fixed an issue where emails were automatically assigned to users without agent roles.
Fixed an issue where the global Overcapacity Deflection Messages setting was configured for Uploading Audio Recordings, but queues inheriting global settings incorrectly displayed Text-to-speech in the UI.
Fixed an issue where agents couldn't transfer a chat within the same queue.
Fixed an issue where incoming calls unexpectedly ended with 603 decline errors after ringing for 13 seconds.
Fixed an issue in the Agent Desktop where the session ID didn't match the call ID for the same interaction.
Fixed an issue where user search results didn't display users in locations with the same first three letters of the name when searching for partial locations.
Fixed an issue that let end-users interact with a mailbox immediately after switching to a different mailbox, causing synchronization issues.
Fixed an issue where overcapacity deflection didn't work for direct inbound calls.
Fixed an issue where the Reporting API changed the data types of some response fields. This caused data type mismatches in the reports that the API returned.
Mobile SDK for Android version 2.15.2 patch
This patch updates the following for the mobile SDK for Android:
Updates minSdkVersion to 25.
Upgrades the following dependencies:
Twilio Conversations to 6.2.1
Twilio Voice to 6.10.2
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2286000 | cos-117-18613-534-44 | cos-117-18613-534-44 release notes |
| 1.31.14-gke.1681000 | cos-117-18613-534-44 | cos-117-18613-534-44 release notes |
| 1.32.13-gke.1205000 | cos-117-18613-534-44 | cos-117-18613-534-44 release notes |
| 1.33.10-gke.1067000 | cos-121-18867-381-45 | cos-121-18867-381-45 release notes |
| 1.34.6-gke.1068000 | cos-125-19216-220-72 | cos-125-19216-220-72 release notes |
Chrome Enterprise Premium Integration general availability
The Chrome Enterprise Premium integration is now GA. This release includes the following new features and updates:
New Chrome Enterprise Connector which configures recommended data export settings and sends data through Google Cloud to Google Security Operations. Chrome Enterprise Premium customers can export data with additional security context provided by Google Safe Browsing.
Updates to the CHROME_MANAGEMENT parser documentation in Collect Chrome Enterprise data and
Chrome Enterprise Premium Threats.
Curated Detections for Chrome Enterprise Premium.
Curated Dashboards for Chrome Enterprise Premium.
Response actions to block and remove malicious extensions or to delete blocked extensions from the extension policy ExtensionInstallBlocklist.
Security Command Center Risk Engine supports Managed Service for Apache Spark resources in attack paths and Managed Service for Apache Spark clusters and jobs in high-value resource sets.
]]>Airflow 2.11.1 is available in Cloud Composer 3 and Cloud Composer 2.
New Airflow builds are available in Cloud Composer 3:
New images are available in Cloud Composer 2:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.67 | v27.5.1 | v2.2.2 | See List |
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.1 | See List |
Fixed CVE-2024-14027 in the Linux kernel.
Fixed KCTF-7cb9a23 in the Linux kernel.
Fixed KCTF-7cb9a23 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.5 | See List |
Fixed CVE-2024-14027 in the Linux kernel.
Fixed CVE-2026-23304 in the Linux kernel.
Fixed KCTF-7cb9a23 in the Linux kernel.
Various bug fixes and minor product enhancements.
Gemini Enterprise: Data connector request count metric
Monitor the total number of requests to your Gemini Enterprise data connectors or data stores using the Gemini Enterprise DataConnector - Gemini Enterprise DataConnector Request Count metric in Metrics Explorer.
This feature is generally available (GA). For more information, see Access metrics in Metrics Explorer.
Microsoft 365 Defender: Version 26.0
The following new job has been added:
SentinelOneV2: Version 48.0
The following new job has been added:
Microsoft Teams: Version 36.0
Optimized user lookup logic for the following actions:
Add Users To Channel
Create Chat
Akamai: Version 6.0
Updated the JSON results of the following actions:
Add Items To Client List
Remove Items From Client List
Source code is now publicly available on GitHub for the following integrations:
CyberX: Version 6.0
JuniperVSRX: Version 11.0
McAfee NSM: Version 11.0
Micro Focus ITSMA: Version 7.0
Portnox: Version 9.0
ReversingLabs A1000: Version 10.0
Stealthwatch V6.10: Version 6.0
Symantec Content Analysis: Version 7.0
Azure Active Directory: Version 25.0
Added the ability to fetch last login time information to the following actions:
Enrich User
Get Manager Contact Details
Preview stage support for the following integration:
]]>Service Management is generally available (GA).
Service Management is generally available (GA).
Hot standby enhances the AlloyDB high availability (HA) architecture to improve failover times and to ensure consistent performance after failover. AlloyDB continuously replicates transactions to the standby node to keep caches warm and to ensure that the node is ready to take over quickly during a failover. This feature is generally available (GA) in PostgreSQL 18 and is automatically enabled for all new instances. For more information, see the AlloyDB high availability overview.
On March 31st, 2026, we released an updated version of Apigee.
General Availability (GA) launch of Model Context Protocol (MCP) in Apigee
With this release, Model Context Protocol (MCP) in Apigee is generally available, enabling you to expose your Apigee APIs as MCP tools to agentic applications.
Any MCP client that supports remote MCP endpoints over HTTP/S can access these tools. Because the endpoints are managed, you don't need to install or manage local MCP servers, remote MCP servers, or additional infrastructure to enable agentic applications to access your services.
MCP in Apigee is available for Subscription, Pay-as-you-go, and Evaluation organizations, including organizations with Data Residency and VPC Service Controls enabled.
For more information on using MCP in Apigee, see MCP in Apigee overview.
Enhanced OAS server URL path handling for MCP in Apigee
With this feature enhancement, your OpenAPI specification (OAS) configurations behave exactly
as defined in the OAS standard, automatically combining the server.url base path value with individual operation paths.
For example, a server URL ofhttps://example.com/api/v1 paired with a path of /users will now correctly route to https://example.com/api/v1/users without additional manual intervention.
If you previously prepended base paths to your OAS paths entries, remove the path segment from your servers.url field to prevent
duplication. For example, change https://example.com/api/v1 to https://example.com.
For more information, see Create an OpenAPI 3.0 specification.
Updated MCP server target endpoint for MCP Discovery Proxies
With the GA launch of Model Context Protocol (MCP) in Apigee, the structure of the MCP server target endpoint for MCP Discover Proxies has changed to ORG_NAME.mcp.apigee.internal.
Private preview customers using the previous format (mcp.apigee.internal) are encouraged to update their proxies to reflect the new structure. Existing endpoints using the old format will continue to work, but new endpoints will use the new structure.
Known Issue 496552286: Deployment fails for MCP Discovery Proxies in regions with capacity limitations.
For more information, see Apigee known issues.
The Data Boundary for FedRAMP High supports the following products:
The Data Boundary for Impact Level 2 (IL2) supports the following products:
The Data Boundary for Impact Level 4 (IL4) supports the following products:
The Data Boundary for FedRAMP Moderate supports the following products:
The Data Boundary for Impact Level 5 (IL5) supports the following products:
SNI-based routing for proxy Network Load Balancers is now available in Preview.
You can now route TLS traffic based on Server Name Indication (SNI) hostnames
by using the new TLSRoute resource. The load balancer inspects the
initial unencrypted ClientHello message to extract the SNI hostname and
route connections to the appropriate backend service.
This feature provides pure TLS passthrough without terminating the connection
at the load balancer. Key benefits include:
TLSRoute API lets platform administrators
to manage frontend infrastructure while service owners manage their own routes
and backends independently.This feature is available for regional and cross-region proxy Network Load Balancers.
For more information, see:
The default TCP TIME_WAIT
timeout for Cloud NAT is scheduled to decrease from 120 seconds to 30 seconds,
across all regions, as follows:
Impact on gateways
Existing gateways: Cloud NAT gateways created before the regional update will retain the 120-second default. You can adjust this value by using the --tcp-time-wait-timeout flag at any time.
Cloud NAT gateways configured with a custom TIME_WAIT value
aren't affected and will continue to use your configured custom value.
The following table outlines the applicable default timeout for new gateways throughout the deployment timeline.
| Gateway type | Default timeout (before June 30) |
Default timeout (June 30—September 29) |
Default timeout (on or after September 30) |
|---|---|---|---|
| New | 120 seconds | 30 or 120 seconds | 30 seconds |
You can now migrate a subset of databases from an external server to a destination Cloud SQL for MySQL instance.
For more information, see Configure Cloud SQL and the external server for replication.
You can now use Storage Insights datasets to help manage your data security and compliance. The ability to identify publicly accessible objects is now generally available. Additionally, new fields in bucket and object metadata schemas, such as encryption, retentionPeriod, encryptionType, and retentionExpirationTime, help you audit encryption configurations and monitor data retention policies. For more information, see
Storage Insights datasets and
Dataset tables and schemas.
Generally available: TPU7x is generally available (GA). TPU7x is the first release within the Ironwood family, Google Cloud's seventh generation TPU. TPU7x supports large-scale AI training and inference, providing performance and cost-effectiveness for demanding workloads such as large language (LLMs), mixture of experts (MoEs), and diffusion models. For more information, see the TPU7x (Ironwood) documentation.
Generally available: The maximum throughput for a Hyperdisk ML disk is increased to 2,097,152 MiB/s from 1,200,000 MiB/s. Hyperdisk ML provides the highest throughput per disk for machine learning and for workloads that require high read throughput on immutable datasets.
For more information, see About Hyperdisk ML.
Upgrading fine tuned custom extractor processors is now available in Preview.
The feature allows you to fine tune a new processor version with a newer base version, while keeping the configurations of the previously fine-tuned processor version selected. This is available through the UI in the Deploy & use tab in the console.
This is currently supported for upgrading pretrained-foundation-model-v1.4-2025-02-05
to pretrained-foundation-model-v1.5-2025-05-05.
For more information, see training overview.
Gemini Enterprise: Support for new actions New actions are available for the following data stores:
For a list of actions for these data stores, see Supported actions.
Gemini Enterprise: Connect Salesforce data using data federation (Preview)
You can connect Salesforce data stores to Gemini Enterprise using data federation.
This feature is in Public Preview. For more information, see Connect Salesforce.
Gemini Enterprise: Federated connector error logs in Logs Explorer
You can view detailed error logs for your federated connectors in Logs Explorer. These logs include connection problems, data transformation issues, or API errors.
For more information, see Access Gemini Enterprise connector error logs with Cloud Logging.
Gemini Enterprise and NotebookLM Enterprise: BSI C5:2020 compliance
Gemini Enterprise and NotebookLM Enterprise are certified for BSI C5:2020 compliance.
Cloud Armor supports a visual Match Condition Builder that allows you to create complex expressions in Common Expression Language (CEL) without writing raw code. For more information, see Use the Match Condition Builder.
[Spotlight Feature] Multi-stage queries in YARA-L
The Multi-stage queries feature is now GA. This feature lets you feed the output of one query stage into the input of another, providing more granular data transformation than a single, monolithic query. You can use multi-stage queries in both Dashboards and Search to build sophisticated detection and visualization logic. No action is required to enable this feature.
For more information, see create multi-stage queries with YARA-L 2.0.
Multi-stage queries in YARA-L
The Multi-stage queries feature is now GA. This feature lets you feed the output of one query stage into the input of another, providing more granular data transformation than a single, monolithic query.
You can use multi-stage queries in both Dashboards and Search to build sophisticated detection and visualization logic. No action is required to enable this feature.
Learn more about how to create multi-stage queries with YARA-L 2.0.
Gemini assistance in the IAM role picker is generally available.
For more information, see Get predefined role suggestions with Gemini assistance.
Oracle Database@Google Cloud supports VPC Service Controls. For more information, see Configure VPC Service Controls. This feature is Generally Available (GA).
ABAP SDK for Google Cloud version 1.13 (On-premises or any cloud edition)
Version 1.13 of the on-premises or any cloud edition of the ABAP SDK for Google Cloud is generally available (GA). For the latest Gemini 3.1 Pro models, this version includes support for function calling with thought signatures and enhanced thinking configurations to optimize model reasoning.
Additionally, this version introduces support for the Parameter Manager API and fixes an issue with the recordstamp field in the BigQuery toolkit for SAP when multiple records with the same primary key are replicated to BigQuery.
For more information, see What's new with the on-premises or any cloud edition of the ABAP SDK for Google Cloud.
Risk Engine supports
aiplatform.googleapis.com/ReasoningEngine
in both attack paths and high value
resource
sets.
Unified Maintenance supports viewing maintenance activities for App Hub applications that you have created in App Hub or Application Design Center.
]]>AlloyDB now offers conversational analytics, which lets users query their operational data using natural language. This feature is powered by the Conversational Analytics API, which can help you translate complex human dialog into precise database queries to provide actionable insights. This feature is in Preview. For more information, see Conversational analytics for AlloyDB overview.
You can view the details of Bigtable continuous materialized views in the Google Cloud console.
Scenario modeling for CUD recommendations is generally available
Scenario modeling for committed use discount (CUD) recommendations is now generally available (GA). You can simulate scenarios for both spend-based and resource-based CUDs, and customize recommendations to purchase a commitment that maximizes your savings.
For more information, see Simulate scenarios for CUDs savings.
Cloud Build now supports uploading generic artifacts to generic
repositories, and also downloading generic repositories as build dependencies.
For more information, see genericArtifacts
and Specify a generic artifact as a dependency.
For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map, providing more granular control over caching. You can now apply specific caching logic based on hostnames, URL paths, HTTP headers, and query parameters. This feature is in Preview.
For more information, see Cache policies in URL maps.
Database Migration Service for homogeneous MySQL migrations now lets you migrate individual databases from your source. You can select the databases when you create a migration job for homogeneous MySQL migrations.
For any new project that is created on or after March 30, 2026, if the project enables the Cloud Logging API, then Google Cloud Observability also enables the Telemetry API.
For any new project that is created on or after March 30, 2026, if the project enables the Cloud Monitoring API, Telemetry API.
Cloud SQL for MySQL now offers conversational analytics, which lets users query their operational data using natural language. This feature is powered by the Conversational Analytics API, which can help you translate complex human dialog into precise database queries to provide actionable insights. This feature is in Preview. For more information, see Conversational analytics for Cloud SQL for MySQL overview.
Cloud SQL for PostgreSQL now offers conversational analytics, which lets users query their operational data using natural language. This feature is powered by the Conversational Analytics API, which can help you translate complex human dialog into precise database queries to provide actionable insights. This feature is in Preview. For more information, see Conversational analytics for Cloud SQL for PostgreSQL overview.
Vector assist (Preview) is temporarily disabled for all Cloud SQL for PostgreSQL instances.
For any new project that is created on or after March 30, 2026, if the project enables the Cloud Trace API, then Google Cloud Observability also enables the Telemetry API.
You can use the Cloud Trace API MCP server to let agents and AI applications interact with your trace data. This feature is in Preview.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.67 | v27.5.1 | v2.2.2 | See List |
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.1 | See List |
Fixed CVE-2026-27135 in net-libs/nghttp2.
Updated the Linux kernel to v6.12.77.
Enabled dynamic configuration of FUSE max pages limit.
Enabled dynamic configuration of FUSE max pages limit.
Fixed CVE-2026-23292 in the Linux kernel.
Fixed CVE-2026-27135 in net-libs/nghttp2.
Fixed CVE-2026-23293 in the Linux kernel.
Runtime sysctl changes:
Fixed CVE-2026-23296 in the Linux kernel.
Fixed CVE-2026-23297 in the Linux kernel.
Fixed CVE-2026-23300 in the Linux kernel.
Fixed CVE-2026-23303 in the Linux kernel.
Fixed CVE-2026-23304 in the Linux kernel.
Fixed CVE-2026-23310 in the Linux kernel.
Fixed CVE-2026-23316 in the Linux kernel.
Fixed CVE-2026-23319 in the Linux kernel.
Fixed CVE-2026-23340 in the Linux kernel.
Fixed CVE-2026-23352 in the Linux kernel.
Fixed CVE-2026-23359 in the Linux kernel.
Fixed CVE-2026-23360 in the Linux kernel.
Fixed CVE-2026-23380 in the Linux kernel.
Fixed CVE-2026-23381 in the Linux kernel.
Fixed CVE-2026-23383 in the Linux kernel.
Fixed CVE-2026-23388 in the Linux kernel.
Fixed CVE-2026-23390 in the Linux kernel.
Fixed KCTF-9df9578 in the Linux kernel.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.5 | See List |
Enabled dynamic configuration of FUSE max pages limit.
Fixed CVE-2026-23292 in the Linux kernel.
Fixed CVE-2026-23293 in the Linux kernel.
Fixed CVE-2026-23296 in the Linux kernel.
Fixed CVE-2026-23297 in the Linux kernel.
Fixed CVE-2026-23300 in the Linux kernel.
Fixed CVE-2026-23303 in the Linux kernel.
Fixed CVE-2026-23310 in the Linux kernel.
Fixed CVE-2026-23316 in the Linux kernel.
Fixed CVE-2026-23319 in the Linux kernel.
Fixed CVE-2026-23340 in the Linux kernel.
Fixed CVE-2026-23352 in the Linux kernel.
Fixed CVE-2026-23359 in the Linux kernel.
Fixed CVE-2026-23360 in the Linux kernel.
Fixed CVE-2026-23380 in the Linux kernel.
Fixed CVE-2026-23381 in the Linux kernel.
Fixed CVE-2026-23383 in the Linux kernel.
Fixed CVE-2026-23388 in the Linux kernel.
Fixed CVE-2026-23390 in the Linux kernel.
Fixed CVE-2026-27135 in net-libs/nghttp2.
Fixed CVE-2026-27448 in dev-python/pyopenssl.
Fixed CVE-2026-27459 in dev-python/pyopenssl.
Fixed KCTF-9df9578 in the Linux kernel.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.7 | See List |
Added support for loading the ublk kernel module.
Fixed CVE-2026-23292 in the Linux kernel.
Fixed CVE-2026-23293 in the Linux kernel.
Fixed CVE-2026-23296 in the Linux kernel.
Fixed CVE-2026-23300 in the Linux kernel.
Fixed CVE-2026-23303 in the Linux kernel.
Fixed CVE-2026-23304 in the Linux kernel.
Fixed CVE-2026-23310 in the Linux kernel.
Fixed CVE-2026-23340 in the Linux kernel.
Fixed CVE-2026-23352 in the Linux kernel.
Fixed CVE-2026-23359 in the Linux kernel.
Fixed CVE-2026-23368 in the Linux kernel.
Fixed CVE-2026-23381 in the Linux kernel.
Fixed CVE-2026-23386 in the Linux kernel.
Fixed CVE-2026-23392 in the Linux kernel.
Fixed CVE-2026-27135 in net-libs/nghttp2.
Fixed CVE-2026-27448 in dev-python/pyopenssl.
Fixed CVE-2026-27459 in dev-python/pyopenssl.
Fixed CVE-2026-32597 with pyjwt package upgrade to 2.12.1.
Fixed KCTF-329f0b9 in the Linux kernel.
Fixed KCTF-9df9578 in the Linux kernel.
Fixed the "CrackArmor" vulnerability in the Linux kernel.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Fixed CVE-2026-23292 in the Linux kernel.
Fixed CVE-2026-23293 in the Linux kernel.
Fixed CVE-2026-23296 in the Linux kernel.
Fixed CVE-2026-23300 in the Linux kernel.
Fixed CVE-2026-23303 in the Linux kernel.
Fixed CVE-2026-23304 in the Linux kernel.
Fixed CVE-2026-23310 in the Linux kernel.
Fixed CVE-2026-23351 in the Linux kernel.
Fixed CVE-2026-23352 in the Linux kernel.
Fixed CVE-2026-23359 in the Linux kernel.
Fixed CVE-2026-23368 in the Linux kernel.
Fixed CVE-2026-23381 in the Linux kernel.
Fixed CVE-2026-23386 in the Linux kernel.
Fixed CVE-2026-23388 in the Linux kernel.
Fixed CVE-2026-23391 in the Linux kernel.
Fixed CVE-2026-23392 in the Linux kernel.
Fixed CVE-2026-27135 in net-libs/nghttp2.
Fixed CVE-2026-27448 in dev-python/pyopenssl.
Fixed the "CrackArmor" vulnerability in the Linux kernel.
Fixed the "CrackArmor" vulnerability in the Linux kernel.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.161 | v24.0.9 | v1.7.27 | See List |
Updated cos-gpu-installer to v2.6.1.
Fixed CVE-2026-23292 in the Linux kernel.
Fixed CVE-2026-23293 in the Linux kernel.
Fixed CVE-2026-23296 in the Linux kernel.
Fixed CVE-2026-23300 in the Linux kernel.
Fixed CVE-2026-23303 in the Linux kernel.
Fixed CVE-2026-23304 in the Linux kernel.
Fixed CVE-2026-23340 in the Linux kernel.
Fixed CVE-2026-23352 in the Linux kernel.
Fixed CVE-2026-23359 in the Linux kernel.
Fixed CVE-2026-23368 in the Linux kernel.
Fixed CVE-2026-23388 in the Linux kernel.
Fixed CVE-2026-23391 in the Linux kernel.
Fixed CVE-2026-23392 in the Linux kernel.
Fixed CVE-2026-27135 in net-libs/nghttp2.
Fixed CVE-2026-27448 in dev-python/pyopenssl.
Fixed CVE-2026-27459 in dev-python/pyopenssl.
Fixed CVE-2026-32597 with pyjwt package upgrade to 2.12.1.
Fixed KCTF-329f0b9 in the Linux kernel.
Runtime sysctl changes:
Automated cataloging of Looker (Google Cloud core) metadata as well as data lineage ingestion from BigQuery sources are now available in preview. For more information, see the Looker (Google Cloud core) documentation.
Gemini Enterprise: Include cross-domain documents feature for Google Drive (Preview)
When configuring a Google Drive data store, the Include cross-domain documents feature lets you search and index documents outside your organization. Enable this setting during app creation or on the Manage web app features page for existing apps.
This feature is in Public Preview. For more information, see Create an app and Manage web app features.
Version 20260329.00 of the guest agent
is now available for all supported operating systems. This version introduces
the following features:
enable_local_plugins configuration now defaults to true.connection_type is introduced to the
PluginConfig section of the guest agent configuration file. This option
forces a specific connection type when the guest agent connects to the
extensions it is managing. Supported connection types are UDS and TCP.Version 20260329.00 of the guest agent
is now available for all supported operating systems. This version introduces
the following fixes:
Starting March 30, 2026, the following features will begin rolling out.
Available in preview for Looker (Google Cloud core), you can now track end-to-end data lineage from BigQuery to Looker content, including views, Explores, dashboards, and Looks, through the Looker and Dataplex lineage integration. This enables impact analysis to see how BigQuery changes affect downstream Looker (Google Cloud core) contents.
The Looker mobile application now supports sending alert notifications as push notifications to users who have the Looker mobile application on their mobile device. (This release note was updated on April 9, 2026 to reflect that this update is a feature and to correct a documentation link.)
Available in preview, you can publish the Conversational Analytics data agents that you create in Looker to Gemini Enterprise.
Available in preview, you can chat with Conversational Analytics data agents in user-defined dashboards and in LookML dashboards.
The Enhanced Content Cleanup preview feature is now available. When this feature is enabled for your instance, it lets admins and content owners access an enhanced content management experience in Looker. The Enhanced Content Cleanup preview feature provides the following capabilities:
This feature is disabled by default. Learn more about managing unused content with Enhanced Content Cleanup.
Now generally available, Looker has full support for connections with AlloyDB for PostgreSQL. When you create a connection in Looker, you can now select Google Cloud AlloyDB for PostgreSQL from the Dialect drop-down menu. This update doesn't affect existing AlloyDB connections that were created using the PostgreSQL 9.5+ option in the Dialect menu.
The New Looker Explore and Merge Query Experience preview feature is now available.
When this feature is enabled for your instance, it lets individual users have the option to try the redesigned Looker Explore and Merge Query interfaces. The streamlined interfaces let Looker users find connections and gain insights from their data more quickly. For an AI-assisted experience, enable additional options on the Gemini in Looker page in the Platform section of the Admin panel.
This feature is disabled by default.
Learn more about the new Explore and Merge Query experience.
For customer-hosted Looker instances, Looker 26.6 supports MySQL 8.4.X for the Looker backend database. For customer-hosted instances that use MySQL 8.0.X for the Looker backend database, it is recommended that you update to MySQL 8.4.X as soon as you update your Looker instance to 26.6 or later. Note: This item was added on April 6, 2026.
Available in preview, Looker (Google Cloud core) now integrates with Dataplex Universal Catalog, providing a unified discovery and management experience for your Looker metadata. This allows you to search for Looker assets like LookML models and dashboards directly within Dataplex, giving you a comprehensive view of your data landscape.
When connecting Looker to your database, you can specify additional Java Database Connectivity (JDBC) parameters that you want Looker to include when it communicates with your database driver. In order to keep your connection secure, Looker now has an allowlist for the additional JDBC parameters that are supported for each database dialect.
For a list of the supported JDBC parameters for your dialect, see the "Supported JDBC parameters" section of the database configuration instructions page for your dialect.
Spanner offers conversational analytics, which lets users query their operational data using natural language. This feature is powered by the Conversational Analytics API, which can help you translate complex human dialog into precise database queries to provide actionable insights. This feature is in Preview. For more information, see Conversational analytics for Spanner overview.
You can create BigQuery non-incremental materialized views over Spanner data to improve query performance by periodically caching results. This feature is generally available (GA).
You can use
Cloud resource connections with EXPORT DATA statements
to reverse ETL (extract, transform, load) BigQuery data to
Spanner. This feature is
generally available (GA).
M140 release
The M140 release of Vertex AI Workbench instances includes the following:
Workbench Image Release 26.03
Released the new 26.03 image version under the following image family `workbench-instances-2603. This major update introduces:
v26.03) to provide better historical context for image updates. For more information on new versioning schema see the latest documentationService producers can accept or reject connections from individual Private Service Connect endpoints. This feature is available in General Availability.
]]>Release 6.3.81 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.80 is now available for all regions.
You can configure Sensitive Data Protection to detect specific client-provided metadata. For more information, see Create a custom metadata label detector.
]]>DNS Armor is available in Preview.
DNS Armor is available in Preview.
The Data Boundary for IRS 1075 supports the following products:
The US Data Boundary for Healthcare and Life Sciences and US Data Boundary for Healthcare and Life Sciences with Support support the following products:
The Data Boundary for ITAR supports the following products:
Cloud Composer 2 environments can no longer be created in Melbourne (australia-southeast2). We're switching this region to supporting only Cloud Composer 3 environments. Existing Cloud Composer 2 environments in this region aren't affected by this change.
A new Cloud Composer release has started on March 27, 2026. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.
(Airflow 3.1.7) Starting from version composer-3-airflow-3.1.7-build.1, Airflow workers no longer have direct access to the Airflow database of your environment.
This feature was announced previously and has finished gradually rolling out to all regions supported by Cloud Composer 3.
New Airflow builds are available in Cloud Composer 3:
New images are available in Cloud Composer 2:
The following Cloud Composer versions and builds have reached their end of support period: composer-3-airflow-2.9.3-build.19 and composer-2.12.0-*.
A vulnerability (CVE-2026-23268) about CrackArmor was discovered and has been addressed. For more information, see the GCP-2026-015 security bulletin.
New Serverless for Apache Spark runtime versions:
Custom splitter model
pretrained-splitter-v1.5-2025-07-14 is available in
General Availability (GA).
The following issues were fixed in 1.33.600-gke.40:
The following issues were fixed in 1.32.1000-gke.57:
gkectl upgrade admin command after a
previous failure could fail with "AlreadyExists" errors in the bootstrap cluster.
Google Distributed Cloud (software only) for VMware 1.32.1000-gke.57 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.32.1000-gke.57 runs on Kubernetes v1.32.13-gke.1000.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
Google Distributed Cloud (software only) for VMware 1.33.600-gke.40 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.33.600-gke.40 runs on Kubernetes 1.33.5-gke.2200.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.32.1000-gke.57:
RecentFailures field
in the cluster status. This change provides a centralized location for viewing
errors from both worker node pools and control plane nodes, improving the
troubleshooting and debugging experience.
kubectl top, Horizontal Pod Autoscaling (HPA), and Vertical Pod Autoscaling
(VPA)—could fail with TLS verification errors during CA rotation.
Google Distributed Cloud (software only) for bare metal 1.32.1000-gke.57 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.32.1000-gke.57 runs on Kubernetes v1.32.13-gke.1000.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Risk Engine has launched enhanced heuristics to help identify default high-value resources.
If you are using the default high-value resource set, you might observe changes in the exposure scores of their findings, resources, and issues. For information about these changes, see Default high-value resource set.
reCAPTCHA Mobile SDK v18.9.0-beta02 is available for Android. This version includes the following: