Preview: You can use Gemini in the Google Cloud console as an AI-powered interface to evaluate hardware options, estimate deployment costs, and view recommended configurations for your clusters. Prompting Gemini helps you reach an optimal configuration for your cluster before you create or modify the cluster. For more information, see Design and optimize your cluster with Gemini.
Conversational analytics in BigQuery is now generally available (GA) and includes the following features:
Agents can use the following AI functions to answer your questions:
You can also create a conversation with a dataset. This feature is in preview.
Preview: You can use Gemini in the Google Cloud console as an AI-powered interface to evaluate hardware options, estimate deployment costs, and view recommended configurations for your Compute Engine instances. Prompting Gemini helps you reach an optimal configuration for your workload before you create or modify a compute instance. For more information, see Design your compute infrastructure with Gemini.
[Spotlight Feature] Ask Gemini Cloud Assist in Feed Management
Google SecOps now provides Gemini Cloud Assist (GCA) directly within the Feed Management interface. Use the new Ask Gemini Cloud Assist button to get help with feed creation, setup, and general troubleshooting questions.
Click Ask Gemini Cloud Assist to open the Gemini Cloud Assist panel and ask questions to get guidance on:
Note: Gemini Cloud Assist provides recommendations and answers to your questions, but does not perform configuration changes on your behalf. You must apply any recommended changes manually to your feeds.
For more information, see Feed management overview.
Ingestion metrics reporting correction
Google Security Operations has resolved an issue where certain ingestion metrics—which are displayed in both the dashboard and Cloud Monitoring—were under-reported.
Because of this correction, you might notice a one-time apparent spike in your ingestion metrics when the update is enabled for your region (between June 29 and July 10, 2026). The actual log volume ingested remains unchanged.
Historical metrics recorded before this update will not be modified or backfilled. This correction does not affect customer billing.
If you have questions or need assistance, contact Google Security Operations support.
Critical Notice: Upcoming reservation of siemAlertId field
Effective July 5, 2026, the siemAlertId field will be strictly reserved for
internal Chronicle SIEM alert IDs.
Starting July 5, the system will automatically overwrite any custom or
user-supplied data passed through this field. This change impacts all ingestion
methods, including the Ingestion API, webhooks, and both first-party and
third-party connectors. If you are currently utilizing a custom field named
siemAlertId in any of your data ingestion configurations, please migrate to a
different field name immediately to prevent data loss.
Ask Gemini Cloud Assist in Feed Management
Google SecOps now provides Gemini Cloud Assist (GCA) directly within the Feed Management interface to help you with feed creation, setup, and general troubleshooting questions.
A new Ask Gemini Cloud Assist button is now available in the Feed Management interface. You can click this button to open the Gemini Cloud Assist panel and ask questions to get guidance on:
Note: Gemini Cloud Assist provides recommendations and answers to your questions, but does not perform configuration changes on your behalf. You must apply any recommended changes manually to your feeds.
For more information, see Feed management overview.
Ingestion metrics reporting correction
Google Security Operations has resolved an issue where certain ingestion metrics—which are displayed in both the dashboard and Cloud Monitoring—were under-reported.
Because of this correction, you might notice a one-time apparent spike in your ingestion metrics when the update is enabled for your region (between June 29 and July 10, 2026). The actual log volume ingested remains unchanged.
Historical metrics recorded before this update will not be modified or backfilled. This correction does not affect customer billing.
If you have questions or need assistance, contact Google Security Operations support.
Critical Notice: Upcoming reservation of siemAlertId field
Effective July 5, 2026, the siemAlertId field will be strictly reserved for
internal Chronicle SIEM alert IDs.
Starting July 5, the system will automatically overwrite any custom or
user-supplied data passed through this field. This change impacts all ingestion
methods, including the Ingestion API, webhooks, and both first-party and
third-party connectors. If you are currently utilizing a custom field named
siemAlertId in any of your alert ingestion configurations, please
migrate to a different field name immediately to prevent data loss.
You can control data lineage ingestion for BigQuery and Managed Service for Apache Airflow at the organization, folder, or project level. This feature is available in preview.
For more information, see Control data ingestion.
ABAP SDK for Google Cloud version 1.14 (On-premises or any cloud edition)
Version 1.14 of the on-premises or any cloud edition of the ABAP SDK for Google Cloud is generally available (GA).
This version resolves an issue that occurred during signature verification for Cloud Storage content repository and removes an unreferenced node from the SPRO configuration menu.
For more information, see What's new with the ABAP SDK for Google Cloud.
BigQuery Connector for SAP version 2.15
Version 2.15 of the BigQuery Connector for SAP is generally available (GA). This version resolves issues related to column descriptions in standalone SLT system configurations and attribute consistency in Pub/Sub messages during Change Data Capture (CDC) replication.
For more information, see What's new with BigQuery Connector for SAP.
Image safety classification infoTypes are now supported in ExcludeByImageFindings and AdjustByImageFindings detection rules.
For information about configuring these rules, see Modifying infoType detectors to refine scan results.
Spanner supports direct connectivity. When enabled, your application traffic is routed directly to Spanner servers, bypassing the Google Front End (GFE) servers. This can reduce your overall latency. Direct connectivity is generally available (GA).
]]>Preview: RoCE VPC networks for VM instances support assigning alias IP
ranges to MRDMA vNICs. For more information about these features, see the
following:
On June 22nd, 2026, we released an updated version of Apigee (1-17-0-apigee-10).
| Bug ID | Description |
|---|---|
| 519996459 | Security fix for Apigee. Upgraded the Apigee ingress gateway to patch the following vulnerabilities:
|
| N/A | Security fix for Apigee infrastructure. |
| Bug ID | Description |
|---|---|
| 515788622 | Upgraded the default outbound TLS protocol from TLSv1.2 to TLSv1.3 on JVMs that support it. Per-proxy <SSLInfo><Protocols> settings continue to take precedence, and the new HTTPClient.outbound.tls.protocol override lets operators force a specific protocol. |
| 184266748 | Fixed an issue where ApigeeDatastore TLS certificate creation could fail in namespaces with longer names when the certificate common name exceeded the 64-byte limit. |
| 286069772 | Added a per-gateway proxyProtocol.mode property (strict, permissive, disable) on Apigee ingress gateway components to opt in to HAProxy PROXY-protocol parsing. The property defaults to disable. |
| N/A | Updates to infrastructure and libraries. |
You can use the BigQuery Data Transfer Service to transfer metadata from the following data sources into Knowledge Catalog:
This feature is in Preview.
Resource-based CUD recommendations available for Compute Engine GPUs, Local SSD disks, and OS licenses
Resource-based committed use discount (CUD) recommendations are generally available (GA) for GPUs, Local SSD disks, and premium operating system (OS) licenses.
CUD recommendations provide insight into any additional commitments that you can purchase to optimize the costs of the resources that you run. You can use these recommendations and purchase commitments for resource usage that isn't covered by commitments and is being charged at list prices. Google Cloud analyzes your compute instance spending trends with and without a commitment and generates CUD recommendations on a monthly basis.
For more information about how CUD recommendations are generated, what resource types are supported, and how to use recommendations to purchase commitments, see Get recommendations for committed use discounts (CUDs).
If the parent project for a Cloud Storage bucket changes, a log sink stops routing log entries to that bucket. For more information about error messages and recovery options, see Errors routing to Cloud Storage.
Metrics Explorer can automatically break down a chart into a series of tiles, with each displaying time-series data for a specific label key. This view helps you identify spikes, dips, or trends that the aggregation settings might otherwise hide.
To learn more, see Break down a chart by labels.
Customer-managed encryption key (CMEK) support for Cloud SQL enhanced backups is generally available. You can protect your CMEK-enabled Cloud SQL instances using Google Cloud Backup and DR Service.
For more information, see Choose your backup option.
Customer-managed encryption key (CMEK) support for Cloud SQL enhanced backups is generally available. You can protect your CMEK-enabled Cloud SQL instances using Google Cloud Backup and DR Service.
For more information, see Choose your backup option.
Customer-managed encryption key (CMEK) support for Cloud SQL enhanced backups is generally available. You can protect your CMEK-enabled Cloud SQL instances using Google Cloud Backup and DR Service.
For more information, see Choose your backup option.
The Envoy Lua Filter is now available as a preview feature in the rapid release channel.
Generally available: You can create instances all at once in a regional managed instance group (MIG) by using resize requests. For more information, see About resize requests in a MIG.
Generally available: Resource-based committed use discount (CUD) recommendations are available for GPUs, Local SSD disks, and premium operating system (OS) licenses.
CUD recommendations provide insight into any additional commitments that you can purchase to optimize the costs of the resources that you run. You can use these recommendations and purchase commitments for resource usage that isn't covered by commitments and is being charged at list prices. Google Cloud analyzes your compute instance spending trends with and without a commitment and generates CUD recommendations on a monthly basis.
For more information about how CUD recommendations are generated, what resource types are supported, and how to use recommendations to purchase commitments, see Get recommendations for committed use discounts (CUDs).
You can now use Hyperdisk Balanced
disks for Dataflow worker VMs. With Hyperdisk Balanced disks, you can provision
IOPS and throughput independently of disk size by using the diskProvisionedIOPS
and diskProvisionedThroughput pipeline options (Java SDK) or
disk_provisioned_iops and disk_provisioned_throughput_mibps pipeline options
(Python and Go SDKs). For more information, see
Disk type and
Provision IOPS and throughput.
Provisioned Throughput support for supervised fine-tuned Gemini 3 model inference.
Provisioned Throughput can be used to assure supervised fine-tuned inference using the same quota. Supervised fine-tuned inference for Gemini 3 models incurs a higher burndown rate compared to base model inference. Learn more here.
Google Cloud CCaaS 4.43
We've released version 4.43 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Calls to direct numbers display language selection in the call adapter
When an agent receives a direct call, the call adapter now displays the language that the caller chose during language selection.
For more information, see Direct phone numbers.
HubSpot: Control the display of CRM account fields and record fields in the agent adapter
You can now control how CRM account fields (contact and company) and record fields (ticket and deal) appear in the agent adapter for HubSpot integrations. This gives agents immediate access to important context such as VIP status, account ownership, and ticket priority during live interactions.
Administrators: In the Settings > Developer Settings > CRM > Agent Platform > HubSpot > Account Lookup section, there are two new CRM Account Display Fields sections and a new CRM Record Display Fields section.
For more information, see HubSpot lookups.
The chat API supports CSAT surveys
You can now conduct customer satisfaction (CSAT) surveys using the chat API. You can configure CSAT surveys at the global level and at the queue level.
Administrators: On the Settings > Chat page, there's a new Chat API section.
For more information, see CSAT in the chat API.
This release addresses the following issues:
Fixed an issue where uploading a PDF document to a chat made the conversation history unavailable during a session transfer or page refresh.
Fixed an issue where direct SMS chats didn't send termination notifications at the end of the chat.
Fixed an issue where the after-hours voicemail greeting didn't play during agent-to-agent call deflections.
Fixed an issue where SIP and IVR calls intermittently failed if the caller disconnected before a virtual agent was assigned.
Fixed an issue where calls deflected to voicemail during after-hours were incorrectly reported as errors in the All Call History report.
Fixed an issue where direct inbound calls were incorrectly deflected to voicemail during an agent's available hours when agent deflections were enabled.
Fixed an issue where inbound voice calls failed with an application error during the initial lookup phase.
Fixed a Kustomer issue where Agent Assist transcripts were delivered to the CRM as file attachments instead of timeline notes.
Fixed an issue where the In Progress banner and the Cancel button didn't appear immediately after a virtual task assistant request was initiated.
Fixed an issue where campaigns stayed in a paused state instead of transitioning to a completed state after finishing.
Fixed a Deltacast issue where chats weren't routed correctly to available agents when the company-wide concurrency setting was disabled but individual agent limits were active.
Fixed an issue where supervisor monitoring and whisper features caused system errors during call recording.
Fixed an issue where agents couldn't dismiss forwarded voicemails if the source queue had been deleted.
Fixed an issue where Telnyx calls that ended normally didn't generate a disconnect event, resulting in missing recordings, missing transcripts, and calls appearing to still be active in the CCAI Platform portal.
Fixed an issue where consecutive IVR queue deletions caused performance delays and timeout errors.
Fixed an issue where queue-level automatic wrap-up settings were disabled without an end-user action.
Fixed an issue where the queue settings page displayed inconsistent whisper announcement statuses and didn't play queue names during calls.
Fixed an issue where the Queues page displayed incorrect overcapacity deflection settings when end-users navigated quickly between different queues.
Fixed an issue where virtual agents attempted to fail over to a human agent during outages even when no human agent was configured.
Fixed a Salesforce issue where initiating an outbound call from an active case linked to a separate case assigned to a different user, incorrectly overriding ownership of the second case.
Fixed a Kustomer issue where duplicate conversation records were created in the CRM during calls.
Fixed a Kustomer issue where SMS chat sessions didn't create tickets in the CRM.
Fixed an issue where underscores in an email address in a shortcut were converted to double backslashes when an agent sent the email address to an end-user.
Fixed an issue where deleting Twilio records caused unnecessary errors.
Fixed an issue where disabling the global CSAT setting prevented IVR surveys from being offered to callers, even when the surveys were enabled for specific queues.
Knowledge Catalog connectors for importing metadata from Oracle and MySQL data sources are available in preview.
Knowledge Catalog connectors automatically extract metadata (technical, operational, and business) from external data sources and import it into Knowledge Catalog entry groups. You can schedule metadata import runs on a set schedule.
For more information, see About database connectors and Manage connector configurations.
Starting June 22, 2026, the following features will begin rolling out as part of Looker 26.10.
Now available in preview, model localization is supported for imported projects. By default, Looker uses the locale definitions from the importing project only, if the importing project has locale definitions. However, if you want to merge the locale definitions from an imported project with the locale definitions of the importing project, you can add the import_locale_defs: yes statement to the localization_settings parameter in your importing project's manifest file. See the Localizing your LookML model documentation page for more information.
Dashboard editors can now enable the Preserve desktop layout setting to preserve the layout of a dashboard when users view the dashboard in a smaller browser or on a mobile screen. Users can navigate the dashboard with a zoom slider that enlarges tiles, and they can switch between desktop and mobile view.
Continuous Integration (CI) suites can now be configured to automatically run on a recurring schedule.
The Enhanced search feature is now generally available.
The character limit for descriptions on dashboards and Looks has been increased to 2,000 characters, giving content creators the ability to add comprehensive descriptions, operational definitions, and notes to their dashboards and Looks to ensure that viewers fully understand the data context.
This feature is available to any user with standard content editing rights (Edit content access level or save_dashboards or save_looks permissions).
The Self-service Explores feature has the following updates:
Looker admins can now programmatically change the owner of dashboards, boards, and agents with the Looker API by updating the associated user ID. This simplifies offboarding and content reassignment when users change roles or leave the organization.
When the owner of a dashboard, a board, or an agent is changed, new owners are automatically granted Manage/Edit access to transferred agents. Any existing certification badges on transferred dashboards remain intact.
The API initiator must have save_content and manage_spaces access to the folder where the asset resides.
Transferring ownership of dashboards and boards doesn't automatically grant the new owner access to parent folders, models, or underlying Looks.
Now available in preview, the Filters as tiles and tile-level filter context feature lets you convert dashboard filters into draggable tiles on the dashboard canvas. A dashboard editor can then drag and arrange filter tiles on the dashboard canvas in the same way as other dashboard tiles. To enable this feature, a Looker admin must turn on the Filters as tiles and tile-level filter context setting on the Previews admin page.
In addition, viewers can now check which filters are applied to a specific visualization tile.
Now available in preview, the Google Maps enhancements feature adds the following features:
The Visualization Assistant is now available in the new Explore experience.
The Gemini Expression Assistant preview feature has been updated to increase performance.
Now available in preview, the KPI Visualization feature replaces the Single Value chart option with the KPI (Single Value) chart option. The new KPI (Single Value) chart option lets users access the following enhanced styling options for single value visualizations:
Looker dashboard agents are now included in the embedded Looker experience. Embed users with the appropriate permissions can see dashboard agents on all the embedded dashboards that they have access to.
Learn more about how to configure an embedded dashboard for embed user visibility.
Conversational Analytics data agents that are published to Gemini Enterprise now support visualizations in their conversations.
The Granular Dashboard Sizing preview feature is now enabled by default.
The dashboard summary feature can now be enabled separately from dashboard data agents. This feature is disabled by default. When this feature is enabled, a dashboard summary is generated automatically at the top of the dashboard data agent conversation. To enable this feature, a Looker admin must turn on the Enable Dashboard Summary feature on the Gemini in Looker admin page.
Now available in preview, enhanced observability metrics, including engagement and token usage data, are available for Conversational Analytics on the Conversational Analytics System Activity dashboard. To enable this feature, a Looker admin must turn on the Conversational Analytics Observability setting on the Previews admin page.
When you update the Gemini Enterprise instance that is connected to Looker, any data agents that you published to the previous Gemini Enterprise instance will be unpublished. You can still access these data agents in Looker, but you must re-publish them to the new Gemini Enterprise instance before you can chat with those agents in Gemini Enterprise.
Image scanning is available in the following cloud regions:
asia-southeast1us-east4us-west1For more information, see Locations that support image scanning.
Between July 2025 and June 2026, some table data
profiles saved to BigQuery contained an incorrect
1970-01-01 timestamp instead of NULL in expiration_time
for tables that don't expire. This issue has been fixed. New exports of table
data profiles show the correct expiration timestamps.
Preview: RoCE VPC networks for VM instances support assigning alias IP
ranges to MRDMA vNICs. For more information about these features, see the
following:
Scheduled Maintenance
CloudSQL will undergo a scheduled minor upgrade this Sunday, June 21, 2026.
Release 6.3.90 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
Scheduled Maintenance
CloudSQL will undergo a scheduled minor upgrade.
]]>Cloud Shell no longer includes the Terraform CLI by default. Users can customize their environment to install the CLI on environment startup, or install the binary to their home directory to persist the install between sessions.
Release 6.3.89 is now available for all regions.
]]>On June 19, 2026 we released an updated version of the Apigee hybrid software, v1.16.6.
Various security and CVE fixes are included in this release.
You can use the Bigtable Studio explorer to search for all resources except for authorized views and column families. For more information, see Manage your data using Bigtable Studio.
]]>Update to the API Gateway runtime architecture
The API Gateway runtime architecture is being updated to improve its integration with Google Cloud Platform and its services.
This update does not affect existing API Gateway features. However, be aware of the following differences:
Status code changes for gRPC API Gateways
| Error | New status code | Previous status code |
|---|---|---|
| Quota exceeded | ResourceExhausted |
Unavailable
|
| Invalid API key | InvalidArgument |
InternalError |
For 4xx client-side quota failures, API Gateway will now reject requests (fail closed). This applies to both gRPC and OpenAPI API Gateways.
If you experience any other differences in behavior due to this update, contact Google Cloud Customer Care.
Note: Rollouts of this release to production instances might take up to 4 weeks to complete across all Google Cloud zones. Your instances might not be updated until the rollout is complete.
Agent Registry is generally available (GA).
The following are features available in Agent Registry for the GA launch stage:
v1 version of the Agent Registry API is available. Cloud client libraries are available in C#, Go, Java, Node.js, PHP, Python, and Ruby.1.0, letting you explicitly declare transport endpoints and bindings inside the supportedInterfaces array, in addition to the existing 0.3 schema support.Known limitations:
On June 18th, 2026, we began maintenance updates of Apigee instances configured for maintenance windows.
If you set a preferred window for maintenance for your instance, and your instance version is below 1-17-0-apigee-9, your instance will be updated to 1-17-0-apigee-9 within the next seven to 21 days. A notification containing the expected date of upgrade will be sent within the next two business days.
For more information on participating in scheduled maintenance windows, see Maintenance overview and Manage Apigee instance maintenance windows.
Backup vault support for Cloud SQL instances encrypted with customer-managed encryption keys (CMEK) is generally available (GA), providing immutable and indelible storage with enforced retention. For more information, see Back up Cloud SQL instances to a backup vault.
The Cloud Logging API adds support for the ca regional endpoint. For a
complete list of regional endpoints, see the
REST reference pages.
Cloud SQL for MySQL now supports minor version 8.0.46. To upgrade your existing instance to the new minor version, see Upgrade the database minor version.
Cloud SQL is integrated with Google AI Studio to help you build full-stack applications that use a Cloud SQL for PostgreSQL developer edition instance as the database. You can enter natural language prompts in the Google AI Studio to build applications backed by Cloud SQL and add features such as authentication, search, and persistent data storage.
For more information, see Build vibe-coded applications using Google AI Studio and Cloud SQL.
This feature is generally available (GA).
The rollout of the following Cloud SQL for PostgreSQL minor version and extension upgrades is complete:
Minor versions
The new maintenance version is [PostgreSQL version].R20260319.07_04.
To apply the new maintenance version, see
Perform self-service maintenance.
You can collect, view, and analyze multimodal prompts and responses from your agentic applications that use the LangGraph or Agent Development Kit (ADK) frameworks. This feature is generally available (GA).
Gemini Enterprise: Workflow agents (GA with allowlist)
You can create, import, update, and use workflow agents in the Gemini Enterprise web app. These agents are designed to execute a sequence of steps or actions, which can include a mix of AI automation and human intervention, based on a configured trigger.
This feature is available as a GA with allowlist. To access this feature, contact your Google account manager. After your Google Cloud project is added to the allowlist, a Gemini Enterprise administrator must turn on the Enable agent designer toggle in the web app feature management settings to let users use it.
For more information, see:
Workflow agents (You need to be on the allowlist to access the page.)
Agent Gateway in General Availability
Agent Gateway is the networking component of the Gemini Enterprise Agent Platform ecosystem. It secures and governs connectivity for all agentic interactions, whether they occur between users and agents, agents and tools, or among agents themselves.
For details, see Agent Gateway overview.
Agent Observability is generally available (GA)
This release provides visibility into the performance, behavior, and health of deployed agents and Model Context Protocol (MCP) servers directly within the agent management workflow.
Key updates in this release include:
For more information, see the following:
The Agent Identity API (agentidentity.googleapis.com) is
available in Preview.
This new API replaces the legacy IAM Connectors API
(iamconnectors.googleapis.com) for managing auth providers and agent
identities.
During the preview migration period, both APIs operate side-by-side. Existing
auth providers are automatically mirrored to the new V2 resource hierarchy
(authProviders/), allowing you to migrate your IAM policies, agent code, and
client applications without downtime.
For Exadata Database Service on Exascale infrastructure and Base Database Service, Oracle Database@Google Cloud adds region asia-northeast2 (Osaka, Japan).
For a list of supported locations, see Supported regions and zones.
Security Command Center External Exposure is available in Preview for the Security Command Center Premium tier. The service helps you manage and reduce your external attack surface through automated asset discovery, Google Cloud network exposure path validation, and active exploitability testing.
For more information, see Detect exposed resources.
]]>You can enable autonomous embedding
generation on new or existing
tables that you make with the CREATE
TABLE
or ALTER
TABLE
statements. When you do this, BigQuery maintains a column of embeddings on the
table based on a source column. When you add or modify data in the source
column, BigQuery automatically generates or updates the embedding column for
that data.
This feature is generally available (GA).
CUD dashboard redesign available (preview)
The redesigned CUD dashboard is available in the Billing section of the Google Cloud console. It provides a consolidated view of all your resource-based and spend-based CUDs in a single place. The new design improves usability and scalability, helping you find information faster.
For more information, see View your commitments.
When you create composite objects, you can delete the temporary source objects as part of the composition process.
Gemini Enterprise: Create and manage skills (GA with allowlist)
You can create, import, update, and use skills in the Gemini Enterprise web app. Skills are reusable custom instructions that help the assistant perform specific tasks.
This feature is available as a GA with allowlist. To access this feature, contact your Google account manager. After your Google Cloud project is added to the allowlist, a Gemini Enterprise administrator must turn on the Enable skills toggle in the web app feature management settings to let users use it.
For more information, see:
Create and manage skills (You need to be on the allowlist to access the page.)
Gemini Enterprise: Gemini Enterprise app for Slack
Gemini Enterprise administrators can integrate Gemini Enterprise with Slack to deliver AI-powered answers and search directly to users in their Slack workspace. Once integrated, users can interact with Gemini Enterprise through direct messages, slash commands, and channel mentions to receive answers that incorporate data from all connected data stores.
This feature is generally available (GA). For more information, see Configure the Gemini Enterprise app for Slack.
Memory Bank and Sessions global and multi-regional endpoints GA
Memory Bank and Sessions support for multi-regional and global endpoints is now in General Availability (GA). For more information, see Supported locations for agents. Note that Customer-Managed Encryption Keys (CMEK) cannot be used if your Memory Bank or Sessions instance is configured to use the global endpoint.
We are experiencing a delay preventing patch releases for GDC software only for VMware. We are working diligently to resolve this issue. We will post updates here with more information as it becomes available.
Auto-collapse setting for the query editor
You can now configure the query editor to automatically collapse after you run a search, maximizing the screen space available for viewing your search results. By default, the query editor remains expanded.
For more information, see Configure query editor behavior.
Secret Manager: Version 1.0
Source code is now publicly available on GitHub for the following integrations:
AlienVault USM Appliance: Version 29.0
AlienVaultTI: Version 15.0
Arcsight: Version 46.0
Axonius: Version 8.0
BMC Helix Remedyforce: Version 18.0
Cisco AMP: Version 24.0
EasyVista: Version 8.0
Mandiant: Version 10.0
Office 365 Management API: Version 11.0
SCCM: Version 22.0
SonicWall-Beta: Version 9.0
Stellar Cyber Starlight: Version 19.0
Symantec Email Security.Cloud: Version 6.0
Twilio: Version 16.0
XForce: Version 20.0
Zabbix: Version 17.0
Google Chronicle: Version 86.0
Fixed an issue where the connector would idle or hang on heartbeats instead of
breaking early when nextPageToken or nextPageStartTime is received, and
updated ontology mapping in the following connector:
Palo Alto Cortex XDR: Version 29.0
Updated host name extraction logic in the raw payload in the following connector:
Auto-collapse setting for the query editor
You can now configure the query editor to automatically collapse after you run a search, maximizing the screen space available for viewing your search results. By default, the query editor remains expanded.
For more information, see Configure query editor behavior.
Memorystore for Redis supports the General Availability of the following health issues:
Support for the ext_authz Envoy gRPC API
protocol
is now generally available
(GA) for regional
external Application Load Balancers and regional internal
Application Load Balancers.
AlloyDB integration with Knowledge Catalog is now generally available (GA).
This integration provides a unified metadata view to simplify data governance and analysis. It includes near real-time synchronization and expanded metadata details, like primary and foreign keys.
For more information, see Integrate AlloyDB with Knowledge Catalog.
On June 16, 2026 we released an updated version of the Apigee hybrid software, v1.14.6.
Various security and CVE fixes are included in this release.
Table Explorer behavior is moving to the Reference panel. This transition will occur in July 2026 or later. For more information, see Table Explorer.
QueryData adds support for parameterized secure views (PSVs) to help secure applications that use natural language queries. For more information, see Secure and control access to application data.
This feature is in Preview.
For resource-based committed use discounts (CUDs), the default value of CUD scope for most Cloud Billing accounts has changed from Project to Billing account. If the CUD scope is set to Billing account, then resource-based CUDs from a commitment are shared across all projects in that account. If the CUD scope is set to Project, then resource-based CUDs from a commitment are available to only the project in which you purchased that commitment.
Depending on the Cloud Billing account's creation date and the active commitments in that account, this change applies in the following way:
For more information, see Share resource-based CUDs across projects.
Support for the accelerator-optimized g4-standard-48 machine type for securely running AI and ML workloads is available in Preview, with the following specifications:
Dataflow now supports NVIDIA RTX Pro 6000 GPUs. You can use this
GPU model to run your Apache Beam pipelines on Dataflow. RTX
Pro 6000 GPUs are recommended for large, medium, and small model inference
workloads. To configure your workers with this GPU model, set the accelerator
type to nvidia-rtx-pro-6000. For more information, see Dataflow
support for GPUs.
Gemini Enterprise: ServiceNow data store actions and federation
The ServiceNow data store supports federation and assistant actions in Gemini Enterprise.
You can connect a ServiceNow site to search and read incidents, change requests, tasks, and knowledge base articles using natural language. You can also perform actions, such as creating and updating incidents, directly from the Gemini Enterprise app.
This feature is generally available (GA). For more information, see Connect ServiceNow.
Google Distributed Cloud (software only) for bare metal 1.35.200-gke.66 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.35.200-gke.66 runs on Kubernetes v1.35.3-gke.400.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.35.200-gke.66:
etcd-events pod read the stale data directory when it started
and attempted to reuse the old member ID to rejoin the cluster instead of the
new one. Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures the /var/lib/etcd-events directory is
cleared upon failure, and adds retry logic to kubeadm-reset to improve resiliency against transient API errors.
New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
Managed Service for Apache Spark (formerly Dataproc on Compute Engine): Rollout of the new sub-minor versions without pre-configured channels will begin on June 22, 2026, delayed from the previously planned date of June 15, 2026 ETA.
You can now use authorization policies to perform identity-based and content-based access control checks when processing outbound traffic requests through Secure Web Proxy.
By configuring authorization policies, you can set rules for your workloads to access external destinations. You can also use these authorization policies to delegate complex authorization decisions to identity and content-scanning services like Service Extensions. This feature is supported in Preview.
You can integrate frontend mutual TLS (mTLS) with Secure Web Proxy to boost the security of your applications and workloads.
With this integration, you can use validated client identities in Secure Web Proxy authorization policies to enforce granular access control for outbound traffic. This feature is supported in Preview.
]]>Preview: Before you create Spot VMs, you can view the real-time availability, estimated uptime, historical preemption rate, and pricing for a specific machine type and location. This information helps you maximize the chances of successfully creating Spot VMs and choose the configuration that best fits your workload needs and budget. For more information, see Use Spot.
The Database Insights remote Model Context Protocol (MCP) server now supports the following advanced query insights tools for AlloyDB for PostgreSQL:
get_advanced_aggregated_query_statsget_advanced_aggregated_wait_event_statsget_advanced_time_series_query_statsget_advanced_time_series_wait_event_statsget_index_recommendationsFor more information, see Database Insights remote MCP server.
New minor engine versions released for the commercial line of business within the v004.009 and v004.010 version lines. These versions extend support for the major engine version and include no significant changes compared to the previous minor versions.
Use Gemini Cloud Assist to analyze your SQL queries and receive recommendations to optimize query performance in BigQuery. This feature is available to customers who use BigQuery editions. This feature is in Preview.
Support for configuring daily token quotas for BigQuery generative AI functions has been temporarily disabled. We are working to restore this feature as soon as possible.
You can resize the width of table columns in BigQuery Studio for BigQuery listings such as datasets, repositories, job history, and connections. To resize a column, hover over the column divider and drag it to your preferred width.
You can use Gemini Code Assist directly within the BigQuery Jobs explorer, Job details, Job history, and Capacity management pages to help you troubleshoot and analyze performance issues. For more information, see Troubleshoot job performance. This feature is in Preview.
Limited support for Blockchain Node Engine
Starting June 15, 2026, Blockchain Node Engine will enter a period of limited support.
New node creation in Blockchain Node Engine and provisioning of new Blockchain RPC endpoints will be disabled.
Existing nodes and endpoints will continue to function and receive critical updates until the final shutdown date.
We recommend migrating your workloads to our partner, Quicknode, to avoid service disruption.
For more information, see the migration guide.
New filters and group-by options available in Cloud Billing Reports
Cloud Billing has added two filters to the Billing Reports page to help you analyze and understand your costs:
Products: Google Cloud Products consist of a group of SKUs (potentially from more than one Google Cloud Service) that work together and are sold as a single service, sometimes referred to as a logical product family or a subscription service. Examples include Gemini Enterprise and Firebase App Hosting.
Originating services: An Originating service is a Google Cloud service that causes usage in another service. For example, Google Kubernetes Engine (GKE) can cause usage in Compute Engine. In this use case, when you are viewing the Compute Engine usage and costs, GKE is an originating service when it causes usage in Compute Engine.
You can also Group by the new filters, to summarize your costs by the dimension you select.
Learn more about analyzing billing data and cost trends with Reports.
Learn how to view Gemini Enterprise costs in Cloud Billing reports.
The Envoy Compressor Filter is now GA in the rapid release channel.
To ensure your EnvoyFilter compressor configuration is fully supported, see
Modernize EnvoyFilter compressor configurations.
Preview: Before you create Spot VMs, you can view the following information for a specific machine type and location:
You can view the real-time obtainability and estimated uptime. This information helps you maximize your chances of successfully creating Spot VMs, as well as help ensure that your workload starts and runs efficiently.
You can view historical and current preemption rate and pricing. This information helps you compare and choose the configuration that best fits your workload needs and budget.
For more information, see View the availability of Spot VMs and View the preemption rate and pricing for Spot VMs.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.90 | v27.5.1 | v2.2.3 | See List |
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.18.35 | v29.4.3 | v2.2.3 | See List |
Upgraded app-admin/fluent-bit to v4.2.5.
Upgraded cos-gpu-installer to v2.7.3.
Allow overriding IMA policy from oem partition.
Upgraded sys-apps/less to v702.
On cchost boards, autoload IMA policy on boot.
Fixed CVE-2025-71289 in the Linux kernel.
Set static UUID for the stateful partition.
Fixed CVE-2026-43245 in the Linux kernel.
Update sys-process/audit to v3.0.9.
Fixed CVE-2026-43503 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Updated glib to v2.86.5.
Fixed CVE-2026-45839 in the Linux kernel.
Updated sys-libs/pam to v1.5.3.
Fixed CVE-2026-45841 in the Linux kernel.
Updated the Linux kernel to v6.18.35.
Fixed CVE-2026-45842 in the Linux kernel.
Upgraded net-misc/openssh to v10.0_p2.
Fixed CVE-2026-45843 in the Linux kernel.
Upgraded sys-apps/ek-cpu-balloon to v1.2.3.
Fixed CVE-2026-45844 in the Linux kernel.
Added support for NVIDIA driver v580.159.04.
Fixed CVE-2026-46243 in the Linux kernel.
Fixed a crash that occurs when using the configfile or
source GRUB2 commands when Secure Boot is enabled.
Fixed CVE-2026-46244 in the Linux kernel.
Upgraded app-containers/docker to v29.4.3, Upgraded app-containers/docker-test to v29.4.3, Upgraded app-containers/docker-cli to v29.4.3.
Fixed CVE-2026-46274 in the Linux kernel.
Upgraded app-containers/docker-credential-helpers to v0.9.7.
Fixed CVE-2026-46300 in the Linux kernel.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-46316 in the Linux kernel.
Upgraded sys-apps/gentoo-functions to v1.7.7.
Fixed KCTF-def602e in the Linux kernel.
Upgraded sys-apps/less to v702.
Fixed KCTF-e5b31d9 in the Linux kernel.
Upgraded sys-libs/libcap-ng to v0.9.3.
Updated dev-python/pyjwt to v2.13.0. This fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-485256.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-33814,CVE-2026-39819,CVE-2026-39823,CVE-2026-39825,CVE-2026-42499,CVE-2026-39817,CVE-2026-39820,CVE-2026-39826,CVE-2026-39836.
Updated dev-python/pyjwt to v2.13.0. This fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-485256.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
Fixed a race condition triggered by ext4 online resize that rarely causes machines to fail to boot.
Upgraded cos-gpu-installer to v2.7.4.
Upgraded dev-libs/libusb to v1.0.30.
Upgraded sys-apps/less to v702.
Fixed CVE-2024-56647 in the Linux kernel.
Fixed CVE-2025-38584 in the Linux kernel.
Fixed CVE-2026-23272 in the Linux kernel.
Fixed CVE-2026-23394 in the Linux kernel.
Fixed CVE-2026-31527 in the Linux kernel.
Fixed CVE-2026-43492 in the Linux kernel.
Fixed CVE-2026-43496 in the Linux kernel.
Fixed CVE-2026-43503 in the Linux kernel.
Fixed CVE-2026-46243 in the Linux kernel.
Fixed CVE-2026-46244 in the Linux kernel.
Fixed CVE-2026-46274 in the Linux kernel.
Fixed CVE-2026-46289 in the Linux kernel.
Fixed CVE-2026-46294 in the Linux kernel.
Fixed CVE-2026-46303 in the Linux kernel.
Fixed CVE-2026-46304 in the Linux kernel.
Fixed CVE-2026-46306 in the Linux kernel.
Updated dev-python/pyjwt to v2.13.0. This fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-485256.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
Fixed a race condition triggered by ext4 online resize that rarely causes machines to fail to boot.
Upgraded cos-gpu-installer to v2.7.4.
Upgraded sys-apps/less to v702.
Uprev sys-kernel/lakitu-kernel-6_12 to v6.12.92
Fixed CVE-2025-71289 in the Linux kernel.
Fixed CVE-2026-23394 in the Linux kernel.
Fixed CVE-2026-43245 in the Linux kernel.
Fixed CVE-2026-46160 in the Linux kernel.
Fixed CVE-2026-46244 in the Linux kernel.
Fixed CVE-2026-46274 in the Linux kernel.
Fixed CVE-2026-46283 in the Linux kernel.
Fixed CVE-2026-46289 in the Linux kernel.
Fixed CVE-2026-46294 in the Linux kernel.
Fixed CVE-2026-46303 in the Linux kernel.
Fixed CVE-2026-46304 in the Linux kernel.
Fixed CVE-2026-46306 in the Linux kernel.
Fixed CVE-2026-46316 in the Linux kernel.
Fixed KCTF-def602e in the Linux kernel.
Updated dev-python/pyjwt to v2.13.0. This fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-485256.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Fixed a race condition triggered by ext4 online resize that rarely causes machines to fail to boot.
Upgraded cos-gpu-installer to v2.7.4.
Upgraded sys-apps/less to v702.
Fixed CVE-2026-23394 in the Linux kernel.
Fixed CVE-2026-31527 in the Linux kernel.
Fixed CVE-2026-43492 in the Linux kernel.
Fixed CVE-2026-43496 in the Linux kernel.
Fixed CVE-2026-46243 in the Linux kernel.
Fixed CVE-2026-46244 in the Linux kernel.
Fixed CVE-2026-46274 in the Linux kernel.
Fixed CVE-2026-46289 in the Linux kernel.
Fixed CVE-2026-46294 in the Linux kernel.
Fixed CVE-2026-46303 in the Linux kernel.
Fixed CVE-2026-46304 in the Linux kernel.
Fixed CVE-2026-46306 in the Linux kernel.
Fixed KCTF-def602e in the Linux kernel.
Updated dev-python/pyjwt to v2.13.0. This fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-485256.
Dataflow has updated and expanded its pipeline update features for streaming jobs:
update_strategy_parallel_job_update) and a standard
in-place update (update_strategy_in_place_update) while keeping all other
configuration the same.create_or_update_job experiment to enable automatic create-or-update
(upsert) behavior. If an active job with the specified name already exists,
it is updated. Otherwise, a new job is created.For more information, see Automated stop and replace, Automated parallel pipeline updates, and Automatic create or update (upsert) for templates.
Various bug fixes and minor product enhancements.
Gemini Enterprise: New data stores and support for new actions (Public Preview)
The following data stores are available in Public Preview:
Additionally, support for new actions is available for the following data stores:
For more information, see Connect a third-party data source.
Gemini Enterprise: Observability settings for individual agents (Preview)
You can now configure observability settings for individual agents in Agent Designer employee-made agents. This allows you to monitor metrics in Metrics Explorer and view trace results in Trace Explorer for specific agents.
Observability settings for individual agents are configured inside the agent-level settings. Previously, observability was only available at the application level, which applies to the Core Assistant agent.
This feature is in Public Preview. For more information, see Manage observability settings.
Advanced reporting dashboards 4.36
We've released version 4.36 of the advanced reporting dashboards.
New child queues filter option
Dashboards that have the Queue Name filter now also have a Child Queues checkbox. Select Yes if you want to include all child queues of the specified queue. There's also a new Child Queues (Yes / No) filter available in Explores that have the Queue Name filter.
The Agent & Queue Status (Live) Explore contains new real-time agent and queue metrics
The Agent & Queue Status (Live) Explore contains the following new metrics:
In Call: the number of agents currently on a call
Available / Waiting: the number of agents available and waiting for the next contact
Contacts in Queue: the number of calls currently waiting in the queue
Link directly to CSAT scores in your CRM from the CSAT dashboards
In the CSAT Interactions table of the CSAT - Calls and CSAT - Chats dashboards, next to the Session ID numbers, links to the associated CSAT scores in your CRM are now available. You can go directly to the CSAT scores without needing to search for them in your CRM.
For more information, see CSAT dashboards.
Updates to the Real-time Queue Monitoring - Calls dashboard
The Real-time Queue Monitoring - Calls dashboard now includes the following metrics tiles:
Total Rolled Over Pending Callbacks
Total Rolled Over Completed Callbacks
Avg CSAT Calls
For more information, see Queue monitoring dashboards.
Updates to the Queue Performance dashboards
The Queue Performance - Calls and Queue Performance - Chats dashboards now include the following:
A new Interaction Type filter
A new Interaction Type column in the Queue Detailed Table
The Queue Performance - Calls dashboard now includes the following metrics tiles:
Total Rolled Over Completed Callbacks
Total Rolled Over Pending Callbacks
Repeat contact data in the Queue Performance dashboards
The Queue Summary Table of the Queue Performance - Calls and Queue Performance - Chats dashboards now includes the following columns:
Total Repeat Contacts
Repeat Contact %
For more information, see Queue Performance dashboards.
The following issues were addressed in this release:
Fixed an issue where Repeat Contact % values in the Queue Summary Table of the Queue Performance - Calls dashboard exceeded 100%.
Fixed an issue where the Date filter in Explores returned no results when is on or after was set for an absolute date.
Removed the Total Logged in Time metrics tile from the Agent Availability dashboard.
Fixed an issue where language labels were missing from the advanced reporting dashboards.
Fixed an issue that occurred when filtering by chat ID in the All Interactions - Chats dashboard. The wrong chat ID appeared in the Virtual Agent Chats table.
Fixed an issue where disposition codes were missing or blank for outbound calls in the Call Agent Metrics (Historical) dashboard.
Starting with Distributed Cloud software only for VMware version
1.33.0-gke.799, you must add us.gcr.io to your firewall allowlist to
create or upgrade advanced clusters.
You can use the error ID provided in permission error messages to help troubleshoot access. Error IDs provide context for the error, including the principal, resource, permission, and supported IAM conditions. This feature is available in Preview.
For more information, see Permission error messages.
]]>Release 6.3.89 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Non-prioritized IoC Matching rules Category
Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.
This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.
For more information, refer to Non-prioritized IoC Matching rules category overview.
Non-prioritized IoC Matching rules Category
Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.
This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.
For more information, refer to Non-prioritized IoC Matching rules category overview.
Release 6.3.88 is now available for all regions.
]]>BigQuery AI functions can use
ObjectRef values directly as input,
without calling the OBJ.GET_ACCESS_URL function.
This feature is
generally available
(GA).
All agent.googleapis.com/processes metrics are retained for 24 months. For
more information, see Data retention.
You can now create and query parameterized secure views in Cloud SQL for PostgreSQL.
Parameterized secure views let you use PostgreSQL views with more granular
access control over your data. While you can issue a GRANT statement to control
whether a user can query a PostgreSQL view, a GRANT statement doesn't let you
control the data that the view returns based on the user who is making the
query.
To gain this level of control, use parameterized secure views. You can define parameters such as a user ID or region within the view. When your application queries the view, a user can provide values for these parameters, which customizes the query results. Using parameterized secure views lets you enforce "least privilege" access to help ensure that your users interact only with the data that is relevant and authorized to them.
This feature is in Preview.
The following images are now rolling out for managed Cloud Service Mesh:
These rollouts will preempt those previously announced on June 3, 2026.
These patch releases contain the fix for the vulnerability listed in GCP-2026-035
Proxy version csm_mesh_proxy.20260423_RC03 for Gateway API on GKE clusters is rolling out to all Managed Cloud Service Mesh release channels over the next week.
Gemini Enterprise mobile app: General availability (GA) for Google Identity users
The Gemini Enterprise mobile app is generally available (GA) for organizations using Google Identity as their identity provider. Users can access their agents, search enterprise data, utilize voice features, and perform interactive actions from iOS and Android devices.
With this release, administrators can display a configuration QR code on the web app homepage to enable user access by scanning the QR code. For organizations using Microsoft Entra ID, access to the mobile app is in GA with allowlist.
To learn more, see Configure the mobile app and Use the mobile app.
Google Cloud CCaaS 4.40
We've released version 4.40 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
This release addresses the following issues:
Fixed an issue with Salesforce where virtual agent responses appeared out of order in transcripts.
Fixed an issue where the advanced reporting dashboards didn't load.
Fixed an issue where PDF and audio attachments weren't visible to agents after a chat transfer.
Fixed an issue where end-users were incorrectly placed on hold following a cold transfer to a queue.
Fixed an issue where MP3 audio files for agent call deflections couldn't be uploaded.
Fixed an issue where agents were automatically logged out due to inactivity while still engaged in active calls or chats.
Fixed an issue where a bulk user upload with blank phone number columns caused existing direct inbound phone numbers to become unassigned from agent profiles.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2681000 | cos-117-18613-613-40 | cos-117-18613-613-40 release notes |
| 1.31.14-gke.2074000 | cos-117-18613-613-40 | cos-117-18613-613-40 release notes |
| 1.33.12-gke.1166000 | cos-121-18867-381-161 | cos-121-18867-381-161 release notes |
| 1.35.5-gke.1241000 | cos-125-19216-395-55 | cos-125-19216-395-55 release notes |
| 1.36.0-gke.2459000 | cos-129-19506-120-64 | cos-129-19506-120-64 release notes |
[Spotlight Feature] Search for cases using SIEM Search
Google SecOps SIEM Search now provides robust capabilities for analyzing cases and case history alongside existing Unified Data Model (UDM) events and entities. This update allows security analysts to seamlessly correlate case details with other security telemetry within a single interface, streamlining workflows and accelerating incident response.
Key Highlights:
Unified Search Experience: Conduct searches across UDM events, entities, cases, and case history from a single SIEM Search interface.
Correlate SIEM and SOAR Data: Effortlessly link case details and historical activities with security data, reducing context switching and improving investigation efficiency.
For more information, see Search cases and case history.
[Spotlight Feature] Investigate detections in Google SecOps Search
Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation.
For more details, see Investigate detections in Search.
Asynchronous Search APIs for large datasets
Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results.
For more information, see Asynchronous Search APIs and Result limits for data sources.
[Spotlight Feature] Investigate detections in Google SecOps Search
Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation.
For more details, see Investigate detections in Search.
Asynchronous Search APIs for large datasets
Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results.
For more information, see Asynchronous Search APIs and Result limits for data sources.
New Managed Airflow (Gen 2) environments created while the Restrict Endpoint Usage organization policy is active now use regional endpoints for services like Cloud Storage, Cloud Logging, Pub/Sub, and Data Lineage. For more information, see Configure environments with Restrict Endpoint Usage policy.
The maximum cacheable object size for Media CDN can be increased up to 1 TiB. To request a limit increase for your project, contact your Google support representative. This feature is Generally Available.
For more information, see Quotas and limits.
Media CDN lets you identify the country codes of the edge caches serving client requests. This feature is Generally Available.
For more information, see Custom headers.
The ability to remediate access issues with Policy Troubleshooter is generally available.
Added support for inspecting and de-identifying batched content. You can now include a BatchContentItem in your ContentItem requests.
You can monitor performance, analyze capacity, and optimize costs with Gemini Cloud Assist in BigQuery. This feature is in Preview.
Support for the
AI.KEY_DRIVERS function
is restored. You can use the
AI.KEY_DRIVERS function to identify segments of data that cause statistically significant changes to a summable metric.
This feature is in Preview.
Cluster Toolkit v1.93.0 is available. This release introduces example blueprints for GKE H4D deployments that use the flex-start provisioning model, a compact placement policy and integrated Google Cloud ML Diagnostics. This version also adds a Slurm High Availability controller script and upgrades Slurm images from Rocky Linux 8 to Rocky Linux 9. For details, see the Release announcement on GitHub.
In an autoscaled managed instance group (MIG), you can configure the stabilization period to manage how quickly the autoscaler deletes instances after a decrease in the load. This configuration can help optimize costs or maintain extra capacity based on your workload requirements. For more information, see Configure stabilization period.
The VMware Engine ve2 node type is now available in the following
additional region:
northamerica-south1)Siemplify: Version 109.0
Refactored the code in the following action:
Knowledge Catalog now supports data profile scans for unstructured data (such as PDFs in Cloud Storage) on existing BigQuery object tables. This feature uses Vertex AI Gemini models to extract semantic insights, including entities and relationships, from unstructured content.
For more information, see About unstructured data insights and Use data profile for unstructured data.
]]>Agent Assist offers Proactive generative knowledge assist V2 in GA. This version supports rich search context, multiple suggested queries, and granular control over triggering events.
BigQuery continuous queries now support the following aggregation functions:
Support for these functions is in Preview.
Multi-project access to Cloud Billing cost views available in Preview
In Cloud Billing accounts, multi-project access to usage costs lets project owners, solution owners, developers, and other non-billing admins see cost data for all of their authorized projects in a single view in the Cloud Billing console.
The multi-project view uses a combination of Cloud Billing account permissions and Google Cloud project permissions that let Cloud Billing administrators and organization administrators jointly control access to project-level cost data.
Using project-scoped Cloud Billing account permissions, Cloud Billing administrators can control which solution owners can view aggregated cost data in the Cloud Billing console.
The configuration option to not enroll your cluster in a release channel (known as No channel, formerly as Static) is now deprecated, and will be removed on June 14, 2027. For any clusters not enrolled in a release channel, we recommend that you enroll the cluster before this date. After the removal date, GKE will enroll all remaining clusters in the Stable channel. For more information about this deprecation and how you can achieve the same functionality with release channels, see Clusters not enrolled in a release channel.
Azure Security Center: Version 17.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connector:
Google Chronicle: Version 85.0
Updated partial batch handling and added dynamic batch sizing to prevent timeout loops, refactored logging and added monitoring signals for process health, and pipeline states, and improved detections batch parsing and processing efficiency in the following connector:
Integration: Updated authentication flow mechanism.
Google Cloud IAM: Version 20.0
Updated Predefined Widgets in the following widgets:
List Roles
List Service Accounts
Microsoft Azure Sentinel: Version 64.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connectors:
Microsoft Azure Sentinel Incident Connector v2
Microsoft Sentinel Incident Tracking Connector
Microsoft Defender ATP: Version 32.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connectors:
Microsoft Defender ATP Connector
Microsoft Defender ATP Connector V2
Microsoft Graph Mail: Version 42.0
Updated the logic for robust handling of transient upstream API errors and connection issues in the following connector:
Microsoft Graph Mail Delegated: Version 19.0
Updated the logic for robust handling of transient upstream API errors and connection issues in the following connector:
Microsoft Graph Security: Version 27.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connectors:
Microsoft Graph Office 365 Security and Compliance Connector
Microsoft Graph Security Connector
Protectwise: Version 7.0
Refactored the code in the following action:
Qualys VM: Version 28.0
Fixed AttributeError during parsing of multiple host lists and added fallback hostname matching in the following actions:
List Endpoint Detections
Enrich Host
Organization Policy Service custom constraints are generally available for Cloud Domains. For more information, see Use custom organization policies.
1.29.4-asm.0 is now available for in-cluster Cloud Service Mesh.
You can now download 1.29.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.29.4 subject to the list of supported features.
The following environment variables, labels, and annotations are not supported:
PILOT_IGNORE_RESOURCES and PILOT_INCLUDE_RESOURCESRetryIgnorePreviousHostsomit_empty_valuesPILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAYMAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP with the value 1PILOT_DNS_JITTER_DURATIONPILOT_DNS_JITTER_DURATIONENABLE_NATIVE_SIDECARS with the value truePILOT_IP_AUTOALLOCATE_IPV4_PREFIX and PILOT_IP_AUTOALLOCATE_IPV6_PREFIXPILOT_DNS_CARES_UDP_MAX_QUERIESENABLE_WILDCARD_HOST_SERVICE_ENTRIES_FOR_TLSENABLE_DEBUG_ENDPOINT_AUTHDISABLE_TRACK_REMAINING_CB_METRICSgateway.istio.io/tls-cipher-suitesfileFlushMinSizeKB and fileFlushInterval settings in ProxyConfigtopology.istio.io/localitystatsCompression ProxyConfig optionproxy.istio.io/config annotation for metric compression overridesIstio's experimental feature to enable lazy subset creation of envoy statistics is not supported.
The formatter option within the spec.tracing[].customTags field of the
Telemetry custom resource (telemetry.istio.io) is unsupported.
The istiod_remote_cluster_sync_status Prometheus gauge metric, exposed on the
Istiod control plane metrics endpoint (port 15014 /metrics), is not
supported.
The following are unsupported for proxyless gRPC clients:
Configuring the LEAST_REQUEST load balancing policy within the
spec.trafficPolicy.loadBalancer.simple field of a DestinationRule custom
resource (networking.istio.io)
Configuring the http2MaxRequests circuit breaker within the
spec.trafficPolicy.connectionPool.http.http2MaxRequests field of a
DestinationRule custom resource (networking.istio.io)
The ENABLE_AUTO_SNI flag is still supported to keep aligned with the legacy
behavior.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.29.4-asm.0 uses Envoy v1.37.4-dev.
In-cluster Cloud Service Mesh 1.26 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.
A vulnerability (CVE-2025-10263) about bypass of translation stages or GPT protections in some Arm core families was discovered and has been addressed. For more information, see the GCP-2026-036 security bulletin.
Various bug fixes and minor product enhancements.
Gemini Enterprise: Share agents with Google Groups
End users can share agents created using Agent Designer with Google Identity groups, provided an administrator has enabled this feature for the Gemini Enterprise app.
This feature is generally available (GA). For more information, see Share an agent.
Anthropic's Claude Fable 5
Claude Fable 5 is available in Model Garden.
Mobile SDK for Android version 2.15.3 patch
We've released version 2.15.3 of the Mobile SDK for Android.
This release addresses the following issues:
Fixed an issue where UjetWebFormCallback in the Android SDK lacked the
necessary methods to pass form data.
Fixed an issue where chat messages and content cards in the Mobile SDK displayed out of order.
Fixed an issue where the Android SDK didn't start a new chat session after the previous session ended.
Fixed an issue where customers couldn't customize the Android SDK to display the timeout message to end-users.
UDM fields now show the sources of enrichment
The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.
For more information, see: Viewing events.
UDM fields now show the sources of enrichment
The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.
For more information, see: Viewing events.
The backup capabilities for ONTAP-mode are generally available (GA). For more information, see About backups.
Google Cloud NetApp Volumes remote Model Context Protocol (MCP) server is generally available. NetApp Volumes remote MCP server lets you manage storage pools, volumes, backup vaults, backup policies, backups, and snapshots from LLMs, AI applications, and AI-enabled development platforms. For more information, see Use the NetApp Volumes remote MCP server and NetApp Volumes MCP Reference.
NCC Gateway is generally available.
NCC Gateway lets you enable security functions, such as third-party Security Service Edge (SSE), for cross-cloud network traffic. You can use Secure Access Connect with NCC Gateway to securely connect remote workforces to private applications in Google Cloud, on-premises, or other cloud providers and to public applications, like Palo Alto Networks Prisma Access.
For information about pricing, see NCC Gateway pricing.
Policy Simulator for deny policies is generally available.
The Pub/Sub Lite to Managed Service for Apache Kafka migration guide has been updated to use the latest client libraries and to use Kafka Connect in Managed Service for Apache Kafka.
]]>On June 8th, 2026, we released an updated version of Apigee (1-17-0-apigee-9).
| Bug ID | Description |
|---|---|
| 514384893 | Security fix for Apigee. Hardened the Script policy to block server-side request forgery (SSRF) to link-local addresses. |
| N/A | Security fix for Apigee infrastructure. |
| Bug ID | Description |
|---|---|
| 512850756 | Added observability metrics for the OpenTelemetry trace export pipeline, reporting spans exported, export latency, batch size, and dropped spans. |
| 515039499 | Fixed an issue where OpenTelemetry trace export over HTTP could fail to authenticate when sent through a forward proxy that requires basic authentication. |
On June 8, 2026 we released an updated version of the Apigee hybrid software, v1.16.5.
Various security and CVE fixes are included in this release.
App Hub support for resources from Memorystore is now generally available (GA).
You can analyze data lineage with Gemini Cloud Assist in BigQuery. This feature is in Preview.
You can now use Gemini Cloud Assist to schedule queries. This feature is in Preview.
You can use the Google-developed, open source Java Database Connectivity (JDBC) driver for BigQuery to connect your Java applications to BigQuery. This feature is generally available (GA).
You can use custom constraints with Organization Policy to provide more granular control over specific fields for some BigQuery sharing resources. For more information, see Manage Sharing data exchanges and listings using custom constraints. This feature is generally available (GA).
IAM deny policies for BigQuery are now generally available (GA).
You can manage and limit the costs associated with BigQuery generative AI functions by configuring daily token quotas. Token-based cost management for BigQuery generative AI functions is generally available (GA).
FOCUS billing data export to BigQuery available in Preview
Cloud Billing data export to BigQuery now offers a FOCUS billing data export available in Preview. The FinOps Open Cost and Usage Specification (FOCUS) is an open specification that defines clear requirements for technology billing data generators to produce consistent cost and usage datasets. The Google Cloud billing data export using the FOCUS specifications includes FOCUS columns up to FOCUS version 1.2.
For more information about the FOCUS billing data export to BigQuery, refer to the following documentation:
Cloud SQL for MySQL managed buffer pool
is now generally available (GA).
Managed buffer pool helps you avoid out-of-memory events (OOMs) on your
Cloud SQL instance by reducing innodb_buffer_pool_size when memory usage is high.
1.28.7-asm.4 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2026-035.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.28.7-asm.4 uses Envoy v1.36.8-dev.
1.27.9-asm.5 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2026-035.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.27.9-asm.5 uses Envoy v1.35.12-dev.
1.26.8-asm.11 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2026-035.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.26.8-asm.11 uses Envoy v1.34.14.
The rollouts previously announced on June 3, 2026 have been stopped. The following release will supersede them and include those patches and the fix for the vulnerability listed in GCP-2026-035.
The Trace API supports regional endpoints. For a list of supported endpoints, see the REST API reference pages:
The workstation configuration creation page in the Google Cloud console has been optimized to make configuration creation faster and easier. Common machine settings are grouped into selectable machine presets, frequently used settings are consolidated on the Configuration essentials landing page, and a pending cluster with default settings is automatically provisioned when no cluster exists in your selected region.
Generally available: The C4D machine series supports Hyperdisk Balanced High Availability disks.
For more information, see About Hyperdisk Balanced High Availability and Performance limits for machine series.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
Fixed CVE-2026-43492 in the Linux kernel.
Fixed CVE-2026-43496 in the Linux kernel.
Fixed CVE-2026-43499 in the Linux kernel.
Fixed CVE-2026-43503 in the Linux kernel.
Fixed CVE-2026-45837 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Fixed CVE-2026-45839 in the Linux kernel.
Fixed CVE-2026-45841 in the Linux kernel.
Fixed CVE-2026-45842 in the Linux kernel.
Fixed CVE-2026-45843 in the Linux kernel.
Fixed CVE-2026-45844 in the Linux kernel.
Fixed CVE-2026-45987 in the Linux kernel.
Fixed CVE-2026-45991 in the Linux kernel.
Fixed CVE-2026-45997 in the Linux kernel.
Fixed CVE-2026-46005 in the Linux kernel.
Fixed CVE-2026-46015 in the Linux kernel.
Fixed CVE-2026-46021 in the Linux kernel.
Fixed CVE-2026-46033 in the Linux kernel.
Fixed CVE-2026-46037 in the Linux kernel.
Fixed CVE-2026-46040 in the Linux kernel.
Fixed CVE-2026-46046 in the Linux kernel.
Fixed CVE-2026-46050 in the Linux kernel.
Fixed CVE-2026-46051 in the Linux kernel.
Fixed CVE-2026-46061 in the Linux kernel.
Fixed CVE-2026-46062 in the Linux kernel.
Fixed CVE-2026-46065 in the Linux kernel.
Fixed CVE-2026-46070 in the Linux kernel.
Fixed CVE-2026-46072 in the Linux kernel.
Fixed CVE-2026-46076 in the Linux kernel.
Fixed CVE-2026-46082 in the Linux kernel.
Fixed CVE-2026-46086 in the Linux kernel.
Fixed CVE-2026-46089 in the Linux kernel.
Fixed CVE-2026-46094 in the Linux kernel.
Fixed CVE-2026-46101 in the Linux kernel.
Fixed CVE-2026-46102 in the Linux kernel.
Fixed CVE-2026-46106 in the Linux kernel.
Fixed CVE-2026-46107 in the Linux kernel.
Fixed CVE-2026-46108 in the Linux kernel.
Fixed CVE-2026-46115 in the Linux kernel.
Fixed CVE-2026-46116 in the Linux kernel.
Fixed CVE-2026-46120 in the Linux kernel.
Fixed CVE-2026-46124 in the Linux kernel.
Fixed CVE-2026-46128 in the Linux kernel.
Fixed CVE-2026-46129 in the Linux kernel.
Fixed CVE-2026-46131 in the Linux kernel.
Fixed CVE-2026-46132 in the Linux kernel.
Fixed CVE-2026-46135 in the Linux kernel.
Fixed CVE-2026-46139 in the Linux kernel.
Fixed CVE-2026-46149 in the Linux kernel.
Fixed CVE-2026-46150 in the Linux kernel.
Fixed CVE-2026-46155 in the Linux kernel.
Fixed CVE-2026-46159 in the Linux kernel.
Fixed CVE-2026-46161 in the Linux kernel.
Fixed CVE-2026-46172 in the Linux kernel.
Fixed CVE-2026-46173 in the Linux kernel.
Fixed CVE-2026-46174 in the Linux kernel.
Fixed CVE-2026-46176 in the Linux kernel.
Fixed CVE-2026-46177 in the Linux kernel.
Fixed CVE-2026-46185 in the Linux kernel.
Fixed CVE-2026-46193 in the Linux kernel.
Fixed CVE-2026-46195 in the Linux kernel.
Fixed CVE-2026-46196 in the Linux kernel.
Fixed CVE-2026-46209 in the Linux kernel.
Fixed CVE-2026-46214 in the Linux kernel.
Fixed CVE-2026-46234 in the Linux kernel.
Fixed CVE-2026-46243 in the Linux kernel.
Fixed CVE-2026-46300 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.90 | v27.5.1 | v2.2.3 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Gemini 3.5 Flash is now generally available to Gemini Code Assist users in VS Code and IntelliJ. You can use this model for agent mode, chat, and code generation.
Gemini 3.5 Flash is now generally available to Gemini Code Assist users in VS Code and IntelliJ. You can use this model for agent mode, chat, and code generation.
Gemini Enterprise: Gemini 3.5 Flash feature management toggle is no longer available after June 16, 2026
Starting June 16, 2026, the Gemini 3.5 Flash feature management toggle is no longer available. This change applies to the Global, US, and EU multi-regions.
Google Cloud CCaaS 4.39
We've released version 4.39 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
This release addresses the following issues:
Fixed an issue with Salesforce where cases weren't created when a virtual agent connected to a call.
Fixed an issue where agents on teams with transfer restrictions couldn't transfer chats to agents not assigned to a team.
Fixed an issue where agents who weren't available for chat transfers still appeared in the transfer list, causing transfer attempts to fail.
Fixed an issue where the Submit wrap-up button didn't appear in the call adapter after agents completed outbound calls.
Fixed an issue where an agent and caller could still hear each other after the agent placed the caller on hold.
Fixed an issue in the agent desktop that occurred after an agent transferred a call to a different queue. The agent desktop layout of the source queue displayed to the receiving agent instead of the layout of the destination queue.
Fixed an issue where the reporting for After Call Work (ACW) time was artificially high for calls transferred to a third party.
Fixed an issue where overcapacity deflection settings interfered with after-hours deflections, causing calls to be incorrectly queued.
Fixed an issue where the inactivity timeout didn't function as configured.
Several API dependencies that aren't required by Managed Airflow (Gen 3) are now phased out and must be enabled separately if you want to create Managed Airflow (Gen 2) environments in a new project. This change was announced previously.
The following API dependencies were phased out:
The following API dependencies aren't phased out yet and are scheduled to be detached from the Cloud Composer API in the future:
Existing Managed Airflow (Gen 3) and Managed Airflow (Gen 2) environments in projects where the Cloud Composer API is already enabled aren't impacted.
You can do the following:
Cloud Network Insights is in General Availability.
Cloud Network Insights monitors your network and web application performance across multicloud and hybrid networks and provides visualization tools to help identify and diagnose network issues.
The following additional features are included in this release:
Compute Engine VM Monitoring Points: deploy a Monitoring Point optimized for Google Cloud directly to your Google Cloud infrastructure using Terraform.
Connectivity Tests support: run Connectivity Tests from Cloud Network Insights to validate connectivity between endpoints of some dual-ended network paths.
The OBJECT_TYPE/PERSON/SIGNATURE infoType detector is available in global and the asia, europe, and us multi-regions. For more information about all infoTypes, see InfoType detector reference.
Agent Search: Prefix and partial matching for filtering search queries (Preview)
You can configure schema fields to support prefix matching and partial matching in filter expressions:
Prefix matching lets you filter search results based on whether a field value starts with a specific string.
Partial matching lets you filter results based on whether the query contains
some of the words in the field value. Partial matching doesn't require a
perfect match like the ANY operator does.
This feature is in Public Preview. For more information, see Configure field settings.
Agent Search: EXISTS filter for filtering search queries (Preview)
You can use the EXISTS filter to filter search results for documents.
Specifying EXISTS for a field means that a document can only be returned in a
search request if the field has a value and that value is not the default.
This
filter is available for custom search and for media search. Use EXISTS with
other filters such as ANY and IN to create expressions to scope the
documents that can be returned in a search query.
This feature is in Public Preview. For more information, see Filter custom search for structured or unstructured data, Filter website search, and Filter media search.
]]>Release 6.3.88 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Cloud Location Finder is generally available (GA).
Release 6.3.87 is now available for all regions.
General availability support for the following integration:
]]>Cloud Data Fusion version 6.11.1.3 is generally available (GA).
Fixed in Cloud Data Fusion 6.11.1.3:
Fixed an issue that caused pipeline preview runs to fail with an
InaccessibleObjectException when using certain plugins, such as
Cloud SQL for PostgreSQL
(CDAP-21212).
Fixed an issue causing custom plugins to lose their logging context when running in parallel pipeline branches, ensuring consistent log propagation across both linear and parallel branched pipeline executions (CDAP-21245).
Fixed critical security vulnerabilities in CDAP (CDAP-21250).
Improved the latency of the List pipelines page (CDAP-21244).
Fixed an issue causing intermittent service unavailability after instance upgrades (CDAP-21254).
Changes in Cloud Data Fusion 6.11.1.3:
deployStrategy query parameter in the
Deploy Application API
to skip the re-deployment of an existing pipeline if its configuration hasn't
changed
(CDAP-21246).Custom dashboards can display trace data. You can view individual spans or aggregated data. This feature is public preview. For more information, see the following:
Custom dashboards can display trace data. You can view individual spans or aggregated data. This feature is public preview. For more information, see Display traces on a custom dashboard.
Gemini Enterprise: Asana data store (Preview)
The Asana data store is available in Public Preview in Gemini Enterprise.
You can connect an Asana account to search and read projects, workspaces, teams, and tasks using natural language. You can also perform actions, such as creating projects and tasks, directly from the Gemini Enterprise app.
For more information, see Connect Asana.
Gemini Enterprise: Administrator control for Gemini 3.5 Flash
As a reminder, effective June 9, 2026, the feature management toggle for Gemini 3.5 Flash is no longer available. Gemini 3.5 Flash is enabled by default for all users in the Gemini Enterprise app and cannot be disabled.
This change applies to the Global, US, and EU multi-regions.
Google Distributed Cloud (software only) for bare metal 1.33.900-gke.90 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.33.900-gke.90 runs on Kubernetes v1.33.11-gke.100.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.33.900-gke.90:
Starting June 1, 2026, the Data Catalog service begins a phased shutdown. From this date onward, you might experience disruptions or a complete lack of access to Data Catalog APIs. Knowledge Catalog (formerly known as Dataplex Catalog) operates without impact.
For more information about migrating from Data Catalog to Knowledge Catalog, see Transition from Data Catalog to Knowledge Catalog.
AI Protection supports data residency in the European Union (EU) for the Security Command Center Premium tier.
For more information, see Planning for data residency.
The following Security Command Center finding category names from AI Protection have new names that clarify that AI Protection detects Gemini foundation models:
VERTEX_AI_MODEL_DETECTED changes to GEMINI_MODEL_DETECTED.VERTEX_AI_MODEL_NOT_PROTECTED_BY_MODEL_ARMOR changes to
GEMINI_MODEL_NOT_PROTECTED_BY_MODEL_ARMOR.For more information about AI Protection findings, see AI Protection overview.
]]>Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
To view the instrumentation scope or the schema associated with a span, open the Details view for the span and select the Metadata & Links tab. For more information, see View attributes, log entries, and events.
Cluster Toolkit version 1.92.0 is available. This release introduces support for ML Diagnostics on TPU machine types and node auto-provisioning on GKE clusters. The release also adds an optional infrastructure setup for inference gateways and compact placement for Slurm clusters by using the Dynamic Workload Scheduler (DWS) flex-start provisioning model. For details, see the Release announcement on GitHub.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
Fixed CVE-2026-43499 in the Linux kernel.
Fixed CVE-2026-43503 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Fixed CVE-2026-45839 in the Linux kernel.
Fixed CVE-2026-45841 in the Linux kernel.
Fixed CVE-2026-45842 in the Linux kernel.
Fixed CVE-2026-45843 in the Linux kernel.
Fixed CVE-2026-45844 in the Linux kernel.
Fixed CVE-2026-45987 in the Linux kernel.
Fixed CVE-2026-45991 in the Linux kernel.
Fixed CVE-2026-45997 in the Linux kernel.
Fixed CVE-2026-46005 in the Linux kernel.
Fixed CVE-2026-46015 in the Linux kernel.
Fixed CVE-2026-46021 in the Linux kernel.
Fixed CVE-2026-46033 in the Linux kernel.
Fixed CVE-2026-46037 in the Linux kernel.
Fixed CVE-2026-46040 in the Linux kernel.
Fixed CVE-2026-46046 in the Linux kernel.
Fixed CVE-2026-46050 in the Linux kernel.
Fixed CVE-2026-46051 in the Linux kernel.
Fixed CVE-2026-46065 in the Linux kernel.
Fixed CVE-2026-46070 in the Linux kernel.
Fixed CVE-2026-46082 in the Linux kernel.
Fixed CVE-2026-46086 in the Linux kernel.
Fixed CVE-2026-46089 in the Linux kernel.
Fixed CVE-2026-46094 in the Linux kernel.
Fixed CVE-2026-46101 in the Linux kernel.
Fixed CVE-2026-46102 in the Linux kernel.
Fixed CVE-2026-46106 in the Linux kernel.
Fixed CVE-2026-46107 in the Linux kernel.
Fixed CVE-2026-46115 in the Linux kernel.
Fixed CVE-2026-46116 in the Linux kernel.
Fixed CVE-2026-46120 in the Linux kernel.
Fixed CVE-2026-46124 in the Linux kernel.
Fixed CVE-2026-46131 in the Linux kernel.
Fixed CVE-2026-46132 in the Linux kernel.
Fixed CVE-2026-46149 in the Linux kernel.
Fixed CVE-2026-46150 in the Linux kernel.
Fixed CVE-2026-46155 in the Linux kernel.
Fixed CVE-2026-46161 in the Linux kernel.
Fixed CVE-2026-46172 in the Linux kernel.
Fixed CVE-2026-46173 in the Linux kernel.
Fixed CVE-2026-46174 in the Linux kernel.
Fixed CVE-2026-46176 in the Linux kernel.
Fixed CVE-2026-46185 in the Linux kernel.
Fixed CVE-2026-46195 in the Linux kernel.
Fixed CVE-2026-46196 in the Linux kernel.
Fixed CVE-2026-46209 in the Linux kernel.
Fixed CVE-2026-46214 in the Linux kernel.
Fixed CVE-2026-46234 in the Linux kernel.
Fixed CVE-2026-46300 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
Fixed CVE-2026-43499 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Fixed CVE-2026-45839 in the Linux kernel.
Fixed CVE-2026-45841 in the Linux kernel.
Fixed CVE-2026-45842 in the Linux kernel.
Fixed CVE-2026-45843 in the Linux kernel.
Fixed CVE-2026-45844 in the Linux kernel.
Fixed CVE-2026-45987 in the Linux kernel.
Fixed CVE-2026-45991 in the Linux kernel.
Fixed CVE-2026-45997 in the Linux kernel.
Fixed CVE-2026-46005 in the Linux kernel.
Fixed CVE-2026-46015 in the Linux kernel.
Fixed CVE-2026-46021 in the Linux kernel.
Fixed CVE-2026-46033 in the Linux kernel.
Fixed CVE-2026-46037 in the Linux kernel.
Fixed CVE-2026-46040 in the Linux kernel.
Fixed CVE-2026-46046 in the Linux kernel.
Fixed CVE-2026-46050 in the Linux kernel.
Fixed CVE-2026-46051 in the Linux kernel.
Fixed CVE-2026-46065 in the Linux kernel.
Fixed CVE-2026-46070 in the Linux kernel.
Fixed CVE-2026-46082 in the Linux kernel.
Fixed CVE-2026-46086 in the Linux kernel.
Fixed CVE-2026-46089 in the Linux kernel.
Fixed CVE-2026-46094 in the Linux kernel.
Fixed CVE-2026-46101 in the Linux kernel.
Fixed CVE-2026-46102 in the Linux kernel.
Fixed CVE-2026-46106 in the Linux kernel.
Fixed CVE-2026-46107 in the Linux kernel.
Fixed CVE-2026-46115 in the Linux kernel.
Fixed CVE-2026-46116 in the Linux kernel.
Fixed CVE-2026-46120 in the Linux kernel.
Fixed CVE-2026-46124 in the Linux kernel.
Fixed CVE-2026-46131 in the Linux kernel.
Fixed CVE-2026-46132 in the Linux kernel.
Fixed CVE-2026-46149 in the Linux kernel.
Fixed CVE-2026-46150 in the Linux kernel.
Fixed CVE-2026-46155 in the Linux kernel.
Fixed CVE-2026-46161 in the Linux kernel.
Fixed CVE-2026-46172 in the Linux kernel.
Fixed CVE-2026-46173 in the Linux kernel.
Fixed CVE-2026-46174 in the Linux kernel.
Fixed CVE-2026-46176 in the Linux kernel.
Fixed CVE-2026-46185 in the Linux kernel.
Fixed CVE-2026-46195 in the Linux kernel.
Fixed CVE-2026-46196 in the Linux kernel.
Fixed CVE-2026-46209 in the Linux kernel.
Fixed CVE-2026-46214 in the Linux kernel.
Fixed CVE-2026-46234 in the Linux kernel.
Fixed CVE-2026-46300 in the Linux kernel.
Custom extractor offers document validation and correction in Preview.
This feature allows you to enhance extraction accuracy with validation rules and document data using Common Expression Language (CEL) dialect.
For more information, see CEL dialect for document validation.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.34.8-gke.1218000 | cos-125-19216-395-7 | cos-125-19216-395-7 release notes |
| 1.36.0-gke.2684000 | cos-129-19506-120-64 | cos-129-19506-120-64 release notes |
GKE Gateway now supports frontend mTLS (client certificate validation). Frontend mTLS allows the Gateway to authenticate client-presented certificates. This feature is available for the following GatewayClasses:
gke-l7-global-external-managedgke-l7-regional-external-managedgke-l7-rilbFor more information, see Configure frontend mTLS for a Gateway.
You can use the lookupContext method to retrieve a pre-formatted bundle of data asset context optimized for interactive agentic workflows. This LLM-ready context helps to ground your agents in assessing and using data assets.
This feature is available in preview.
For more information, see Retrieve context for data assets.
Looker 26.10 is expected to include the following changes, features, and fixes:
An issue has been fixed where clicking Save and Schedule on an Explore could fail to load the Schedule dialog in a Looker (Google Cloud core) instance. This feature now performs as expected.
An issue has been fixed where cross filters didn't properly appear in the right-aligned filter bar. This feature now performs as expected.
An issue has been fixed where attempting to download or schedule the Recent Login Failures tile on the User Activity System Activity dashboard could fail. This feature now performs as expected.
An issue has been fixed where users were unable to scroll dashboards when the filter bar was open. This feature now performs as expected.
An issue has been fixed where dragging a dashboard tile horizontally could cause the tile to expand beyond the browser window. This feature now performs as expected.
An issue has been fixed for filters on custom calendar fields that was causing a SQL error when the custom calendar dimension_group or the custom calendar reference_date had a non-timestamp datatype specified. This feature now performs as expected.
An issue has been fixed where configuring remote dependencies with custom SSH ports for on-premise Git repositories could fail. This feature now performs as expected.
An issue has been fixed where applying string matching filters (such as Contains or Starts With) with an empty value could generate incorrect filter SQL. This feature now performs as expected.
An issue has been fixed where the labels that were specified in the PDT Override Additional JDBC Parameters field weren't being applied to BigQuery table creation jobs. This feature now performs as expected.
An issue has been fixed where changes to Markdown files weren't saved when you switched between Edit and Preview mode. This feature now performs as expected.
An issue has been fixed where running queries against derived tables in SQL Runner could cause Looker to return a 500 error. This feature now performs as expected.
An issue has been fixed where the right-aligned filter bar could become wide enough to require a scroll bar if a range slider filter was added. This feature now performs as expected.
An issue has been fixed where right-clicking in a drill-down menu during a cookieless embed session could incorrectly close the menu. This feature now performs as expected.
An issue has been fixed where retrieving all schemas for a Denodo connection could overload the database CPU. This feature now performs as expected.
An issue has been fixed where the Unsubscribe link could fail to appear in a scheduled report email. This feature now performs as expected.
An issue has been fixed where the Advanced Vis Config editor would not recognize the plotOptions.column.borderRadius option. This feature now performs as expected.
An issue has been fixed where dashboard filters could fail to be updated from inactive to active color highlighting when certain types of date inputs were present. This feature now performs as expected.
An issue has been fixed where visualizations could overflow instead of shrinking when a tile or browser was resized. This feature now performs as expected.
When you edit a visualization, the Advanced Vis Config editor can now override default theme border and padding styles. This feature now performs as expected.
An issue has been fixed where a join wouldn't be added to a query if the join was required by a measure that was excluded from an Explore. This feature now performs as expected.
An issue has been fixed where period-over-period (POP) measures of types previous and difference that were based on count and sum measures would incorrectly return null instead of zero when no data was available for the comparison period. This feature now performs as expected.
An issue has been fixed where filter suggestions on dashboard filters could incorrectly retain previous filter values. This feature now performs as expected.
An issue has been fixed where setting a field name or an Explore name in a LookML dashboard as a non-string datatype could cause the LookML validator to return a 500 error. This feature now performs as expected.
An issue has been fixed where the button group dashboard filter type could display more than 30 options, cluttering the UI. This feature now performs as expected.
An issue has been fixed where moving a filter by dragging it could also inadvertently highlight text. This feature now performs as expected.
An issue has been fixed where some PDT settings were unavailable when you created a BigQuery connection by using the Quickstart flow in a Looker (Google Cloud core) instance. This feature now performs as expected.
Period-over-period (PoP) measures are now supported on connections to Trino databases.
Memorystore for Valkey has additional node-level metrics for Cloud Monitoring. These metrics offer detailed insights into the health and performance of individual nodes within an instance. You can use the metrics to troubleshoot issues with the nodes to optimize their performance. The metrics are available in Preview.
Google Cloud's Agent for SAP version 3.15
Version 3.15 of Google Cloud's Agent for SAP is generally available (GA). This version updates the libraries in the agent's GitHub repository to address vulnerabilities when you're building the agent from its GitHub source.
For more information, see What's new with Google Cloud's Agent for SAP.
reCAPTCHA Mobile SDK v18.9.1 is available for iOS. This version fixes symbol collisions with libraries using Objective-C protos.
]]>App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
BigQuery fluid scaling, which provides per-second billing with no minimum duration for autoscaling reservations, is generally available (GA).
1.28.7-asm.3 is now available for in-cluster Cloud Service Mesh.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.28.7-asm.3 uses Envoy v1.36.7-dev.
Patch 1.28.7-asm.3 contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
1.27.9-asm.4 is now available for in-cluster Cloud Service Mesh.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.27.9-asm.4 uses Envoy v1.35.10-dev.
Patch 1.27.9-asm.4 contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2022-31045 | Yes | Yes | Yes | Yes | Medium (9.8) |
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2019-14993 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39155 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39156 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2022-23635 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
The following images are now rolling out for managed Cloud Service Mesh:
These patch releases contain the fixes for the following CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
1.26.8-asm.10 is now available for in-cluster Cloud Service Mesh.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.26.8-asm.10 uses Envoy v1.34.14.
Patch 1.26.8-asm.10 contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2022-31045 | Yes | Yes | Yes | Yes | Medium (9.8) |
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2019-14993 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39155 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39156 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2022-23635 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
Generally available: You can gradually create Flex-start VMs in a managed instance group (MIG) as capacity becomes available. Unlike resize requests for MIGs that wait for full capacity before creating VMs, this method might create only a portion of your requested Flex-start VMs if capacity is unavailable. The MIG creates the remaining VMs later as capacity permits. Flex-start VMs run for up to seven days and help you obtain high-demand resources, such as GPUs, at a discounted price.
For more information, see Create a MIG that uses Flex-start VMs.
Various bug fixes and minor product enhancements.
Gemini Enterprise: DRZ and MLP compliance in the EU for Google NotebookLM Enterprise
Gemini Enterprise is compliant with data residency (DRZ) and machine learning processing (MLP) requirements in the EU for Google NotebookLM Enterprise for adding sources and interacting with the sources (chat). However, the Discover Sources feature and Studio features, such as audio overview, slide deck, infographic, video overview, mind map, and reports, are not MLP compliant.
For more information on location limitations, see NotebookLM limitations.
Google Cloud CCaaS 4.38
We've released version 4.38 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Sort and filter emails
Agents can now sort and filter emails by date in the email adapter.
User experience changes: The email adapter has the following new UI elements:
A button to toggle between Oldest to newest and Newest to oldest in the email list.
A Filter by Date list to filter by preset filters or by a configurable date range.
For more information, see Email lists.
This release addresses the following issues:
Fixed an issue where Canadian French translations for notifications and error messages were appearing in English.
Fixed an issue where the Alvaria WFM Agent Performance report was exporting every minute instead of once daily.
Fixed an issue where the Agent Preferences table on the Agent Availability dashboard didn't update when an agent modified their availability preferences.
Fixed an issue that occurred when an agent manually changed their status to Available before the point in time that automatic wrap-up was configured to do so. In the Activity Timeline report, the status change was mistakenly attributed to the system.
Fixed an agent desktop issue where clicking the Transfer button in an SMS chat displayed an error instead of starting a transfer.
Fixed an issue where a delay in Salesforce task creation caused a lag in updating the ticket ID on calls.
Fixed an issue where agents couldn't transfer SMS chats.
Fixed an issue where incoming chats were routed to newly signed-in agents instead of to those who had been available the longest.
Fixed an issue where messages in the chat adapter's chat history weren't labeled or aligned to distinguish agent messages from end-user messages.
Fixed an issue in the IVR Queue Menu Settings pane where the text input field didn't appear when users selected Text-to-speech.
Fixed an issue in the SMS Queue Menu Settings pane where phone numbers weren't appearing in the incoming and outbound Assigned Numbers fields.
Fixed an issue where the web SDK didn't load.
Fixed an issue where live transcripts and conversation summarization didn't display in the agent desktop following an instance update.
AlienVault USM Appliance: Version 28.0
ConnectWise: Version 23.0
Google Chronicle: Version 84.0
Jira: Version 58.0
ServiceDesk Plus: Version 10.0
ServiceDesk PlusV3: Version 10.0
ServiceNow: Version 67.0
Siemplify: Version 245.0
MISP: Version 275.6
Microsoft Sentinel Incident Tracking Connector: Version 29.0
Incident Creation Time Filter (days) advanced parameter and optimized error handling logic.You can use Policy Analyzer to visualize allow policy queries. This can help you understand the relationship between identities, roles, permissions, and resources within your resource hierarchy.
Policy Analyzer supports queries about agent identities. You can see who can access an agent or what resources and agents a specific agent can reach.
These features are available in in Preview.
For more information, see Analyze allow policies.
Added support for inspecting and de-identifying conversational content. You can now include a Conversation in your ContentItem requests.
Preview stage support for the following integration:
]]>You can now configure a cooldown period to determine when autoscaling occurs for your read pool instances. For more information, see Scale an instance.
On June 2nd, 2026, we released an updated version of Apigee Cassandra.
| Bug ID | Description |
|---|---|
| Apigee Cassandra security update | Security fix for Apigee Cassandra infrastructure. This addresses the following vulnerabilities: |
Remote functions now support a custom path in the endpoint URL. You can reuse a single Cloud Run service for multiple BigQuery remote functions by specifying different path suffixes on the same endpoint. This feature is generally available (GA).
A single-region Critical production SLA for Cloud Interconnect is Generally Available.
For workloads that require 99.99% availability within a single region, you can now configure a single-region topology that achieves the Critical production SLA.
For more information, see Establish 99.99% availability for Dedicated Interconnect or the Cross-Cloud Interconnect overview.
TLS post-quantum key exchange support is now available for
Application Load Balancers and external proxy Network Load Balancers.
Post-quantum key exchange is
essential for protecting today's traffic from future quantum computing
decryption risks (harvest now, decrypt later attacks).
With post-quantum key exchange enabled, the
load balancer uses post-quantum key exchange with clients that support TLS
1.3 and X25519MLKEM768 key exchange.
This feature is rolling out in three phases:
Phase 1 (Until October 2026): Post-quantum key exchange is not enabled by default. Customers can elect to opt in and enable it using their SSL policy.
Phase 2 (October 2026 through October 2027): The feature is enabled by default. Customers can elect to defer (opt out) if required.
Phase 3 (After October 2027): The feature is enabled by default, and options to defer are no longer effective.
We strongly encourage you to enable post-quantum key exchange now, even before it is turned on by default. The opportunity to test this today will help you verify that clients and any intermediate network devices can properly negotiate post-quantum key exchange.
For more information, see Post-quantum key exchange.
Support for Histogram widgets on custom dashboards is generally available. These widgets extract the most recent value from each time series, group those values into ranges, and then provide a graphical representation of the result. Unlike tables or other widgets that display the most recent values, Histograms display information about the relative frequency of ranges of values.
This widget is one of several visualizations that you can use to display the most recent values. For more information, see the following documents:
The create-observability bucket flow enforces organization policies with constraints on resource locations. This flow also enforces policies that require customer-managed encryption keys (CMEKs) and that restrict the projects that store those keys. Your trace data is stored in an observability bucket.
For more information, see the following:
Datastream now offers a free tier for change data capture (CDC) data processed from Google Cloud sources, such as AlloyDB for PostgreSQL and Spanner. You get the first 100 GiB of CDC data for free per billing account, per month.
For more information, see the Pricing page.
You can configure your Filestore instances to use Private Service Connect with NFSv3 or NFSv4.1 file system protocols and IPv4 or IPv6 address families to allow consumers access managed services privately from inside their VPC network. This feature is generally available.
For more information, see Create a Filestore instance with Private Service Connect.
Gemini Enterprise: Gemini 3 pro image (Nano Banana Pro) and Gemini 3.1 flash image (Nano Banana 2) for image generation
Gemini 3.1 flash image (Nano Banana 2) and Gemini 3 pro image (gemini-3.0-pro-image) are generally available (GA) in Gemini Enterprise app.
To make these models available to users in your Gemini Enterprise app, a Gemini Enterprise administrator can manage them in the feature controls:
Gemini 3 pro image (Nano Banana Pro): Turned off by default and is only available in the Global region.
Gemini 3.1 flash image (Nano Banana 2): Turned off by default and is only available in the Global region. If an administrator turned on this model during its Public Preview, it remains turned on in GA in the Gemini Enterprise app.
For more information about feature controls, see Manage features on the web app.
Updates to abuse monitoring and zero data retention documentation
Documentation for abuse monitoring, zero data retention, and responsible AI has been updated to align with the Advanced AI Safety Addendum. These updates include new details regarding Advanced AI safety, partner-specific terms, and request-response logging for models like Claude Mythos and Opus.
For more information, see:
GKE is introducing the following changes to expand the capabilities of maintenance exclusions:
For more information, see Maintenance exclusions.
(Managed Airflow Gen 3) You can now access Cloud Run endpoints restricted to internal ingress traffic through your environment's network attachment. This feature is available through gcloud CLI beta commands and beta Cloud Composer API in all Managed Airflow (Gen 3) versions.
Google Cloud NetApp Volumes Flex Unified service level is available with limited performance in the following region:
For more information about limited performance regions, see Supported regions for Flex Unified limited performance.
]]>Agent Assist offers summarization with custom sections 6.0 in GA. The 6.0 version is powered by gemini-3.5-flash and available in all Agent Assist regions.
Agent Assist offers summarization autoevaluation with more rubrics for evaluating completeness. This update also explains the use of N/A in the overall performance view.
Summarization autoevaluation is available in the following additional regions:
The Facebook Ads connector for the BigQuery Data Transfer Service now supports data transfers from the following Facebook Ads reports:
AdInsightsMMMAdsAdCreativesAdSetsCampaignsAdImagesAdLabelsBusinessesCustomAudiencesCUD Analysis is Generally Available
CUD Analysis has reached general availability (GA). This tool supports the new spend-based CUD model and provides a unified interface for customers to examine both spend-based and resource-based CUDs. It offers a consolidated view of Compute resources including the benefits of both resource-based and spend-based CUDs.
You can use this tool to do the following:
For more information, see Analyze the effectiveness of your CUDs.
A modernized, component-centric interface for Cloud Load Balancing is available in Preview. This inaugural release provides an expanded perspective of load balancing infrastructure, offering enhanced transparency into individual component configurations.
The key features of this release include the following:
Comprehensive resource inventory: A centralized, searchable, and sortable management layer for granular resources—including forwarding rules, target proxies, and TLSRoutes—facilitating detailed monitoring of resource status and interdependencies.
Interactive resource topology: A contextual visualization tool that maps traffic flow from forwarding rules through proxies to backends, enabling technical teams to efficiently analyze dependencies and accelerate issue resolution.
Integrated audit logging: Embedded audit logs within the console that offer a unified module for monitoring and tracking historical configuration changes.
The details page for a span can display the call hierarchy of a trace by using a directed acyclic graph (DAG). If you view an Application Monitoring dashboard and explore the trace data that it displays, the flyout supports the DAG option. If you open the Trace Explorer page and explore a span, the DAG option is also available.
For more information, see the following:
Generally available: Compute Engine supports Google's custom-developed accelerator Tensor Processing Unit (TPU), providing a converged experience across AI accelerators on Google Cloud. You can use the Compute Engine instance API and managed instance group (MIG) API to create and manage TPU VMs. You can perform standard VM configurations such as using a custom OS or configure boot disk size. Compute Engine APIs support the creation and management of TPU slices across all consumption options, enabling small-scale experimentation and large-scale training and inference workloads.
For more information, see TPU resources in Compute Engine.
The details page for a span can display the call hierarchy of a trace using a directed acyclic graph (DAG). One way to view a span's details is to open the Trace Explorer page and select the span. The DAG view is also available for some integrations. For example, if you view an Application Monitoring dashboard and explore the trace data it displays, the flyout supports the DAG option.
For more information, see the following:
Generally available: Compute Engine supports the Google's custom-developed accelerator Tensor Processing Unit (TPU), providing a converged experience across AI accelerators on Google Cloud. You can use the Compute Engine instance API and managed instance group (MIG) API to create and manage TPU VMs. You can perform standard VM configurations such as using a custom OS or configure boot disk size. Compute Engine APIs support the creation and management of TPU slices across all consumption options, enabling small-scale experimentation and large-scale training and inference workloads.
For more information, see TPU resources in Compute Engine.
Generally available: In a managed instance group (MIG), obtain the requested number of virtual machine (VM) instances all at once by using bulk mode of the target size policy. Using bulk mode helps you avoid partial VM provisioning in a MIG. Bulk mode is particularly beneficial for batch workloads, such as high performance computing (HPC) or distributed training, that require full capacity before they can start. For more information, see About bulk mode.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Added dev-libs/mpdecimal and dev-python/gentoo-common.
Updated app-containers/runc from v1.2.8 to v1.2.9
Updated dev-lang/python to v3.11.15.
Added support for NVIDIA driver v580.159.04.
Upgraded app-shells/dash to v0.5.13.4.
Fixed EFI variable OOB read in grub config parsing.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
Allow overriding IMA policy from oem partition.
On cchost boards, autoload IMA policy on boot.
Set static UUID for the stateful partition.
Added support for NVIDIA driver v580.159.04.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
Updated Python to v3.8.20.
Updated app-containers/runc from v1.2.8 to v1.2.9
Added support for NVIDIA driver v580.159.04.
Fixed EFI variable OOB read in grub config parsing.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.90 | v27.5.1 | v2.2.3 | See List |
Runtime sysctl changes:
Added support for NVIDIA driver v580.159.04.
The Filestore remote Model Context Protocol (MCP) server is generally available (GA). The Filestore remote MCP server lets you create and manage Filestore instances from LLMs, AI applications, and AI-enabled development platforms.
Support for searching for and managing your Firestore resources using Knowledge Catalog, which is a platform for storing, managing, and accessing your metadata. To learn more, see View Knowledge Catalog insights.
Support for searching for and managing your Firestore resources using Knowledge Catalog, which is a platform for storing, managing, and accessing your metadata. To learn more, see View Knowledge Catalog insights.
Gemini Enterprise: Agent Designer migration to Gemini 3.5 Flash
Agent Designer agents in the US and Global regions that previously migrated from Gemini 2.5 Flash and Gemini 2.5 Pro to Gemini 3.1 Pro have been migrated to Gemini 3.5 Flash. This migration is automatic and requires no action.
To use a different model, edit your agent's settings using either conversational chat or the flow builder.
Gemini Enterprise: Create and edit documents and slides in Canvas
Canvas is a dedicated, interactive tool within the Gemini Enterprise web app. It allows you to create and edit AI-generated documents and presentations directly from your chats. You can then export these to Google Workspace, Microsoft Office formats, and PDF.
A Gemini Enterprise administrator must turn on the feature so that users can use it in the Gemini Enterprise app. For more information about feature controls, see Manage features on the web app.
For more information, see Create and edit documents and slides in Canvas.
Gemini 2.0 Flash and Gemini 2.0 Flash-Lite are discontinued
Gemini 2.0 Flash and 2.0 Flash-Lite are discontinued and are no longer available. This includes both model serving and Provisioned Throughput. Use Gemini 3.1 Flash-Lite, Gemma 4, or more recent Gemini releases.
All 3-year (36-month) post-paid ve2 committed use discounts (CUDs) for Google Cloud VMware Engine purchased after May 31, 2026, will terminate on October 15, 2028. 3-year CUD pricing will apply, regardless of the actual term of the CUD. Additionally, 3-year pre-paid CUDs are no longer available; only 1-year pre-paid CUDs are available.
The Manage access to preview features feature has been rolled back.
New SAP certification for operating system: RHEL 10.0 for SAP
For use with SAP HANA and SAP NetWeaver on Google Cloud, SAP has certified the operating system Red Hat Enterprise Linux (RHEL) 10.0 for SAP.
For more information about SAP-certified operating systems, see:
General Availability: Composite Health for Private Service Connect, formerly known as Private Service Connect health, lets service producers define health criteria for published services, enabling automatic cross-region failover for consumers that access the service by using Private Service Connect backends.
reCAPTCHA Mobile SDK v18.9.1 is available for Android. This version fixes an issue that caused package name collisions when building projects using Android Gradle Plugin version 9.0 or higher.
]]>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD_AUDIT_EVENTS)AIX_SYSTEM)APACHE)ARUBA_EDGECONNECT_SDWAN)AVAYA_AURA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)GUARDDUTY)AWS_SECURITY_HUB)AZURE_AD)AZURE_AD_CONTEXT)AZURE_AD_SIGNIN)AZURE_SQL)AZURE_STORAGE_AUDIT)BARRACUDA_WAF)BLUECOAT_WEBPROXY)CHROME_MANAGEMENT)CISCO_ACS)CISCO_ISE)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CITRIX_NETSCALER)CLAROTY_XDOME)CLAUDE_COMPLIANCE_LOGS)CLOUDFLARE)CLOUDFLARE_WARP)CORELIGHT)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)DUO_ADMIN)EFFICIENTIP_DDI)ELASTIC_AUDITBEAT)ELASTIC_WINLOGBEAT)F5_ASM)FORCEPOINT_WEBPROXY)FORTINET_FIREWALL)GITHUB)GCP_CLOUD_ASSET_INVENTORY)GCP_CLOUDAUDIT)GCP_COMPUTE_CONTEXT)GTI_IOC)GTB_DLP)CLEARPASS)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_WAF)IMPERVA_CEF)IMPERVA_DRA)IMPERVA_SECURESPHERE)ISLAND_BROWSER)JUNIPER_FIREWALL)JUNIPER_MIST)KUBERNETES_NODE)LASTPASS)AUDITD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_MAIL)IIS)MOBILEIRON)MONGO_DB)MYSQL)NETAPP_STORAGEGRID)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)GCP_NGFW_ENTERPRISE)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA_SCALEFT)ORACLE_DB)OCI_AUDIT)ORCA)PROOFPOINT_ON_DEMAND)RADWARE_FIREWALL)REDHAT_DIRECTORY_SERVER)REDHAT_OPENSHIFT)SALESFORCE)SANGFOR_NGAF)GCP_SECURITYCENTER_ERROR)GCP_SECURITYCENTER_MISCONFIGURATION)GCP_SECURITYCENTER_OBSERVATION)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)GCP_SECURITYCENTER_UNSPECIFIED)GCP_SECURITYCENTER_VULNERABILITY)SENTINELONE_CF)SERVICENOW_SECURITY)SOURCEFIRE_IDS)SURICATA_EVE)SEP)SYSDIG)TRENDMICRO_DEEP_SECURITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)UBIQUITI_SWITCH)NIX_SYSTEM)UPWIND)VMWARE_ESX)VMWARE_VSPHERE)WINDOWS_DNS)WINEVTLOG)WIZ_IO)WORKDAY_USER_ACTIVITY)WORKSPACE_ACTIVITY)ZSCALER_WEBPROXY)ZSCALER_CASB)ZSCALER_DLP)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AZURE_SOFTWARE_VULNERABILITIES)CALLER_VERIFY)CERTSECURE_LOG)CISCO_MULTICLOUD_DEFENSE_FIREWALL)CURSOR)CYFIRMA_DECYFIR_LOG)DATABAHN)FLARE_DARKWEB_ALERTS)FORTINET_FORTIAPPSEC)HIKVISION_NVR)IBM_B2B_INTEGRATOR)IBM_VDP)IMPERVA_ATO)IMPERVA_CSP)IMPERVA_DNS)IMPERVA_NETWORK_SECURITY)MICROSOFT_DEFENDER_XDR)NAKIVO_BACKUP)NETCRAFT_TAKEDOWN)NXL_AMPLIFY)SIEMENS_DESIGO)Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD_AUDIT_EVENTS)AIX_SYSTEM)APACHE)ARUBA_EDGECONNECT_SDWAN)AVAYA_AURA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)GUARDDUTY)AWS_SECURITY_HUB)AZURE_AD)AZURE_AD_CONTEXT)AZURE_AD_SIGNIN)AZURE_SQL)AZURE_STORAGE_AUDIT)BARRACUDA_WAF)BLUECOAT_WEBPROXY)CHROME_MANAGEMENT)CISCO_ACS)CISCO_ISE)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CITRIX_NETSCALER)CLAROTY_XDOME)CLAUDE_COMPLIANCE_LOGS)CLOUDFLARE)CLOUDFLARE_WARP)CORELIGHT)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)DUO_ADMIN)EFFICIENTIP_DDI)ELASTIC_AUDITBEAT)ELASTIC_WINLOGBEAT)F5_ASM)FORCEPOINT_WEBPROXY)FORTINET_FIREWALL)GITHUB)GCP_CLOUD_ASSET_INVENTORY)GCP_CLOUDAUDIT)GCP_COMPUTE_CONTEXT)GTI_IOC)GTB_DLP)CLEARPASS)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_WAF)IMPERVA_CEF)IMPERVA_DRA)IMPERVA_SECURESPHERE)ISLAND_BROWSER)JUNIPER_FIREWALL)JUNIPER_MIST)KUBERNETES_NODE)LASTPASS)AUDITD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_MAIL)IIS)MOBILEIRON)MONGO_DB)MYSQL)NETAPP_STORAGEGRID)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)GCP_NGFW_ENTERPRISE)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA_SCALEFT)ORACLE_DB)OCI_AUDIT)ORCA)PROOFPOINT_ON_DEMAND)RADWARE_FIREWALL)REDHAT_DIRECTORY_SERVER)REDHAT_OPENSHIFT)SALESFORCE)SANGFOR_NGAF)GCP_SECURITYCENTER_ERROR)GCP_SECURITYCENTER_MISCONFIGURATION)GCP_SECURITYCENTER_OBSERVATION)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)GCP_SECURITYCENTER_UNSPECIFIED)GCP_SECURITYCENTER_VULNERABILITY)SENTINELONE_CF)SERVICENOW_SECURITY)SOURCEFIRE_IDS)SURICATA_EVE)SEP)SYSDIG)TRENDMICRO_DEEP_SECURITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)UBIQUITI_SWITCH)NIX_SYSTEM)UPWIND)VMWARE_ESX)VMWARE_VSPHERE)WINDOWS_DNS)WINEVTLOG)WIZ_IO)WORKDAY_USER_ACTIVITY)WORKSPACE_ACTIVITY)ZSCALER_WEBPROXY)ZSCALER_CASB)ZSCALER_DLP)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AZURE_SOFTWARE_VULNERABILITIES)CALLER_VERIFY)CERTSECURE_LOG)CISCO_MULTICLOUD_DEFENSE_FIREWALL)CURSOR)CYFIRMA_DECYFIR_LOG)DATABAHN)FLARE_DARKWEB_ALERTS)FORTINET_FORTIAPPSEC)HIKVISION_NVR)IBM_B2B_INTEGRATOR)IBM_VDP)IMPERVA_ATO)IMPERVA_CSP)IMPERVA_DNS)IMPERVA_NETWORK_SECURITY)MICROSOFT_DEFENDER_XDR)NAKIVO_BACKUP)NETCRAFT_TAKEDOWN)NXL_AMPLIFY)SIEMENS_DESIGO)Release 6.3.87 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>On May 30, 2026 we released an updated version of the Apigee hybrid software, v1.15.4.
Various security and CVE fixes are included in this release.
Release 6.3.86 is now available for all regions.
]]>On May 29, 2026, we released an updated version of the Apigee UI.
Apigee EventFlow now supports the DataCapture policy
You can now use the DataCapture policy within an EventFlow to extract and persist data from server-sent events (SSE) streams, such as token counts and other fields from streaming LLM responses. For more information, see Use the DataCapture policy to capture token counts.
Manage Spaces in the Apigee UI
You can now create, view, update, and delete spaces, and manage their Identity and Access Management (IAM) policies directly in the Apigee UI. Previously, these actions could only be performed using the Apigee API. For more information, see Apigee Spaces overview.
The preconfigured base images include Antigravity CLI.
The base VM was upgraded to use Container-Optimized OS 129 LTS.
The JetBrains RubyMine preconfigured base image
uses a custom gem directory (/usr/local/share/gems/ruby/3.1.0).
Various bug fixes and minor product enhancements.
In GKE version 1.35 and later, workloads that use Workload Identity to authenticate to Google Cloud APIs might experience transient connectivity timeouts or refused connections to the GKE metadata server immediately following node startup. For recommendations and workarounds, see Timeout errors at Pod startup.
GKE Gateway now supports backend authenticated TLS for Gateway-originated connections to Pods or InferencePools for the following GatewayClasses:
gke-l7-global-external-managedgke-l7-regional-external-managedgke-l7-rilbThe Data Lineage API includes the searchLineageStreaming method that performs a breadth-first search (upstream or downstream) to retrieve lineage links for an asset identified by its Fully Qualified Name (FQN).
For more information, see the Data Lineage API reference for REST.
Managed Service for Apache Spark (formerly Dataproc on Compute Engine):
Added support for selecting specific Confidential Computing technologies (AMD SEV, AMD SEV-SNP, Intel TDX) when creating clusters using the new --confidential-compute-type flag in gcloud and the confidentialInstanceType field in the API. The boolean --enable-confidential-compute flag is now deprecated but will continue to function, defaulting to AMD SEV for backward compatibility.
confidentialInstanceType enum in the API.--enable-confidential-compute flag and enableConfidentialCompute field are deprecated in favor of the new type-specific flag/field.SEV.SEV, SEV-SNP, and TDX.You can now view the Google Cloud Backup and DR Service protection summary at the organization and folder levels. To learn more about protection summary, see Find unprotected resources using protection summary.
As part of Bigtable Enterprise Plus edition, you can configure a retention period of up to 365 days for backups. This feature is generally available (GA). For more information, see Bigtable backups overview.
You can view the available regional endpoints for the Cloud Logging API on the REST reference pages. For an example, see Method: projects.locations.buckets.list.
As of August 26, 2026, in buckets with hierarchical namespace enabled,
the Object Lifecycle Management Delete action will
delete empty folders when the empty folder meets all of the conditions in the
lifecycle rule.
You can view the available regional endpoints for the Observability API and for the Telemetry API on their REST reference pages. For more information, see API overview.
You can view the available regional endpoints for the Error Reporting API on the REST reference pages. For an example, see Method: projects.events.list.
Gemini Enterprise: Release of Core Assistant (General Availability) and new Trace and Metrics information for Core Assistant (Preview)
This release includes Core Assistant, a Google-provided ("Made by Google") root agent that handles interactions when users talk to the Gemini Enterprise app without specifying any other agent.
Core Assistant is Generally Available.
Core Assistant includes new observability and monitoring functionality:
The Trace and Metrics tabs are in Public Preview.
For more information, see Observe and trace agent behavior with Core Assistant.
Agent Platform Gemini 3.1 Flash Image and Gemini 3 Pro Image
Gemini Enterprise Agent Platform Gemini 3.1 Flash Image and Gemini 3 Pro Image are Generally Available.
With this release, Gemini 3.1 Flash Image and Gemini 3 Pro Image support 4K image outputs in Preview.
Also supported in this release, Gemini 3.1 Flash Image supports video inputs in Preview. You can use video inputs to generate thumbnails or representative images of videos.
For more information, see the following:
Agent Platform Gemini 3.1 Flash Image Preview and Gemini 3 Pro Image Preview deprecation
Gemini Enterprise Agent Platform Gemini 3.1 Flash Image Preview and Gemini 3 Pro Image Preview are deprecated. We recommend that you update your model endpoints before July 17, 2026, to avoid service disruption.
The following are the discontinued endpoints and recommended endpoint migration:
| Discontinued endpoints | Recommended endpoint migration |
|---|---|
gemini-3.1-flash-image-preview |
gemini-3.1-flash-image |
gemini-3-pro-image-preview |
gemini-3-pro-image |
Anthropic's Claude Opus 4.8
Claude Opus 4.8 is available in Model Garden.
C4A bare metal instances are generally available with GKE clusters. For more information, see the Arm workloads on GKE document, including the "Requirements and limitations" section for specific version requirements.
Confidential GKE Nodes now support cluster level enablement of AMD SEV-SNP and Intel TDX on GKE Autopilot.
In GKE versions 1.36.0-gke.2459000 and later, you can directly configure Cloud Logging for L4 load balancer backend services by using the L4LBConfig CustomResourceDefinition (CRD).
This feature is available for the following load balancer types:
[Spotlight Feature] Unified and Upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. Further, we've upgraded the following Chronicle API resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability.
The following features and resources are included in this update:
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
[Spotlight Feature] Manage access to preview features
Google Sec0ps tenant administrators can enable or disable access to public preview features. Previously, all public preview features needed to be enabled through official Support channels.
The new Public Preview Features page lists all the public preview features, the status of each feature (on or off)—along with (when available) the expected GA date and a link to a relevant user guide.
For more information, see Manage access to preview features.
Upgraded Chronicle API
We've upgraded the following Chronicle API resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for all new integrations, for a more robust, secure, and extensible experience. Learn more about API Stability.
The following features and resources are included in this update:
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
Unified and Upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. This unification provides a more robust, secure, and extensible experience. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability.
This update includes the following resources: Case, CaseAlert, CaseStageDefinition, CaseTagDefinition, CaseQueueFilter, CaseCloseDefinition, ContextProperty, InvolvedEntity, Task, CaseComment, CaseWallRecord, ChatMessage, View, VisualFamily, ChatMessages.attachment, ContentPack, SocRole, EmailTemplate, DynamicParameter, EntitiesBlocklist, Environment, EnvironmentGroup, Integration, Integrationaction, UserNotification, Integrationactionrevision, Connector, ConnectorInstance, RemoteAgent, Connectorlog, Connectorrevision, IntegrationInstance, UniqueEntity, Integrationsjob, JobInstance, JobInstances.log, Jobs.revision, Integrationmanager, Integrationmanagerrevision, AlertGroupingRule, Announcement, Attachment, CustomList, FormDynamicParameter, MarketplaceIntegration, ModuleSetting, SlaDefinition, NotificationSetting, PropertySchemaDefinition, RequestTemplate, SoarDomain, SoarNetwork, WorkdeskLink, SystemNotification, WorkdeskContact, WorkdeskNote, LegacySoarUsers.localization.
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
To enhance security and address potential vulnerabilities (such as GHSA-3m6q-h5gj-7mrw), the Secure Source Manager Git-over-SSH server configuration has removed support for several legacy and insecure SSH algorithms.
SSH clients must support one or more of the following modern algorithms to connect:
curve25519-sha256, diffie-hellman-group14-sha256chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.comhmac-sha2-256-etm@openssh.com, hmac-sha2-256Users with old or non-standard SSH clients lacking support for these algorithms will be unable to connect using SSH for Git operations. Ensure your SSH client is up-to-date.
Risk Engine detects toxic combinations that are related to Managed Service for Apache Spark (formerly known as Dataproc), including Lightning Engine.
Risk reports are updated to include more content in the Risk Engine introduction and the System attack exposure pages. For more information about what's included in risk reports, see Risk reports overview.
]]>Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
An updated version of the Simba ODBC driver for BigQuery is now available.
Generally available: Two C4A bare metal machine types are generally available:
c4a-standard-96-metal with 96 vCPUs and 384 GB of DDR5
memoryc4a-highmem-96-metal with 96 vCPUs and 768 GB DDR5
memoryThese two machine types support Hyperdisk Balanced, Hyperdisk Extreme, Hyperdisk Throughput, and Hyperdisk ML volume storage and up to 100 Gbps of network bandwidth.
To learn more about the C4A machine family, read General-purpose machines. To see where you can create C4A bare metal instances, read Bare metal instances.
Layout parser image and table annotations is in General Availability (GA).
Layout parser can identify if there are images or tables in parsed documents. When found, images and tables are annotated as a descriptive block of text with the information depicted in the image and table.
Gemini Enterprise: Slack data store
The Slack data store is generally available (GA) in Gemini Enterprise.
You can connect a Slack Workspace to search and read conversations, files, and messages using natural language. You can also perform actions, such as sending and scheduling messages, directly from the Gemini Enterprise app chat box.
For more information, see Connect Slack.
User ID logging now included with agent logs when you opt in to "Enable logging of prompt inputs and response outputs"
Prompt input and response output logging now includes the
user.id field. This addition allows better tracking of
anomalous tool interactions.
For details on configuration, see Write traces for an agent.
Advanced reporting dashboards 4.22
We've released version 4.22 of the advanced reporting dashboards.
Added a Location filter to dashboards
The following dashboards now include a Location filter:
Queue Performance dashboard improvements
We've made the following improvements to the Queue Performance - Calls and Queue Performance - Chats dashboards:
Added the dashboards to the Advanced Reporting Landing Page.
Added a Support Phone Number filter.
Renamed the Total Inbound Handled tile (calls only) to Total Queue Answered.
Added a Total Failed tile.
In the Queue Summary table, removed the Total Inbound Calls Handled column and added the following columns: Total Queue Interactions, Total Queue Entries, Total Queue Answered, Total Failed, and Total Transfers.
For more information, see Queue Performance dashboards.
General dashboard updates
In the Performance Overview dashboard, we renamed the following tiles:
Queued Now to Current Queued Now
Max Queue Time to Current Max Queue Time
The Real-time Connected - Calls and Real-time Connected - Chats dashboards now include the following tiles:
Total Connected Calls (calls only)
Total Connected Chats (chats only)
Avg Current Sentiment Score
In the Queue Group Performance - All dashboard, we renamed the Lang filter to Language.
The following issues were addressed in this release:
Fixed an issue where the CSAT scores in the Performance Overview and CSAT dashboards didn't match.
Fixed an issue where the Queue Performance dashboard incorrectly totaled queue interactions, resulting in lower counts than expected.
Fixed an issue in the All Interactions - Chat dashboard where the Virtual Agents Chats table displayed the wrong chat.
Fixed an issue in the All Interactions - Chat dashboard where the
Failed Interaction column of the Chat Metric Detail table displayed
False for a failed interaction.
Fixed an issue in the All Interactions - Chat dashboard where the
Failed Interaction column of the Chat Metric Detail table displayed
False for a failed interaction.
Fixed an issue where the Chat ID filter on the Queue Performance - Chats dashboard incorrectly displayed placeholder values.
Fixed an issue where scheduled exports of large queries were limited to 500 rows, causing reporting delays.
Fixed an issue in the Historical Data table of the Agent Activity dashboard where the Start Time and End Time columns indicated incorrect durations for agents belonging to multiple teams.
Fixed an issue where short abandoned calls and chats were incorrectly included in the Abandons dashboard, causing inaccurate reporting of queue abandon times.
Fixed an issue where dashboard windows didn't fully display their contents.
We've reduced the processing and delivery delay for Google Cloud Marketplace partner reports from 2 days (D+2) to 1 day (D+1), accelerating by one day the delivery of the Customer Insights reports to Cloud Marketplace partners.
For information about processing times, see Customer Insights report frequency
Google Distributed Cloud (software only) for VMware 1.34.500-gke.108 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.34.500-gke.108 runs on Kubernetes v1.34.7-gke.200.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.34.500-gke.108:
stackdriver.disableVsphereResourceMetrics to true in the cluster configuration file, user cluster installations or upgrades stalled indefinitely because the installer erroneously deleted the vsphere-ca-certificate ConfigMap, causing vsphere-csi-controller pods to fail with mount errors. You no longer need to manually recreate the ConfigMap or scale down the vsphere-metrics-exporter deployment as a workaround. gkectl diagnose command failed to run on standard user clusters managed by an advanced admin cluster.Google Distributed Cloud (software only) for bare metal 1.34.500-gke.108 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.34.500-gke.108 runs on Kubernetes v1.34.7-gke.200.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.34.500-gke.108:
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2558000 | cos-117-18613-613-5 | cos-117-18613-613-5 release notes |
| 1.31.14-gke.1967000 | cos-117-18613-613-7 | cos-117-18613-613-7 release notes |
| 1.33.12-gke.1059000 | cos-121-18867-381-125 | cos-121-18867-381-125 release notes |
| 1.35.5-gke.1057000 | cos-125-19216-395-7 | cos-125-19216-395-7 release notes |
| 1.36.0-gke.2459000 | cos-129-19506-120-64 | cos-129-19506-120-64 release notes |
Standard parser support policy
Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through Important UDM Fields. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community.
For more information, see Standard parser support policy.
New Cloud Identity integration
Standard parser support policy
Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through Important UDM Fields. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community.
For more information, see Standard parser support policy.
You can use the data lineage remote MCP server to interact with Knowledge Catalog (formerly Dataplex Universal Catalog) to query data lineage graphs, discover upstream data provenance, and analyze downstream impact.
This feature is available in preview. For more information, see Use the data lineage remote MCP server.
The following features will begin rolling out as part of Looker 26.8.
The Looker Continuous Integration (CI) feature is now generally available.
Conversational Analytics now supports the ability to run queries when users are in Development Mode.
Now available in preview for BigQuery and Snowflake connections, Looker integrates with in-database analytic models (BigQuery Graph and Snowflake semantic views), so that you can keep your semantic definitions consistent across Looker and other BI tools, applications, or workloads that interface with your data warehouse.
See the In-database analytic models documentation page for more information.
Note: This item was added on May 28, 2026.
Now available in preview, dashboard editors can change the size and layout of dashboard tiles with more granularity. To enable this feature, a Looker admin must turn on the Granular Dashboard Sizing setting on the Preview page in the Admin panel.
Now available in preview, enhanced observability metrics, including engagement and token usage data, are available for Conversational Analytics on the Conversational Analytics System Activity dashboard. To use this feature, a Looker admin must turn on the Conversational Analytics Observability setting on the Preview admin page. Note: Token usage monitoring for Conversational Analytics is not available at this time. This item was updated on June 1, 2026.
Now available in preview, you can use natural language to instruct a Conversational Analytics data agent to create a workflow that notifies you when your data has met certain conditions. To use this feature, a Looker admin must turn on the Agentic Workflows setting on the Gemini in Looker admin page.
Now available in preview, the Looker-managed Model Context Protocol (MCP) server allows AI agents to securely connect to your Looker instance without requiring separate middleware. Looker admins can enable this feature and manage which AI tools are available to developers from the new Model Context Protocol (MCP) page in the Admin panel. Usage of the managed MCP server is also tracked within System Activity Explores and Cloud Audit Logs.
Model localization for imported projects will be supported in a future release.
Note: This item was updated on May 28, 2026.
Now available in preview, you can publish the Conversational Analytics data agents that you create in Looker to Gemini Enterprise. All users who have the save_agents permission will be granted the publish_agent_externally permission. To use this feature, a Looker admin must turn on the Publish to Gemini Enterprise setting on the Gemini in Looker admin page.
Now available in preview, you can create and use Conversational Analytics data agents on Looker user-defined dashboards. Conversational Analytics uses the Production Mode of content when it queries Looker dashboards. To use this feature, a Looker admin must turn on the Enable Dashboard Agents setting on the Gemini in Looker admin page.
Looker has introduced the following new feature updates for tabbed dashboards:
The Self-service Explores feature is now supported on Snowflake connections. Your Looker admin can select a Snowflake connection in the Default Connection field of the Self-service Explores admin page. On Snowflake connections, you can upload comma-separated files (CSV) and Excel files (XLS and XLSX) to create a self-service Explore.
Looker has introduced a security sandboxing enhancement for Git command-line interface (CLI) operations. For Looker projects that are configured with SSH connections, this enhancement restricts which directories and executables can be accessed on the instance when Git worktree commands are executed. Looker projects that use HTTPS connections are not affected.
This sandboxing feature is enabled automatically for Cloud-hosted Looker (original) and Looker (Google Cloud core) instances starting in Looker 26.8.
For customer-hosted Looker instances, this security enhancement is available starting in Looker 26.10. To opt in to security sandboxing, you must install the proot package on your Looker host machine. If proot isn't installed, SSH-connected Git operations will still be executed successfully but won't have the sandboxing protection.
Note: This item was updated on May 29, 2026.
The Admin > Roles panel user interface has been updated.
Looker admins can no longer create or manage API credentials for individual standard users in Looker (original) instances. Users must now manage their own keys from their Account page. Admins can enable or disable self-service API key management for users and continue to manage credentials for API-only service accounts. To improve security, API keys are no longer visible to admins while they are sudoing as another user.
Managed Service for Apache Airflow now supports Google Cloud tags for environments.
Tags provide a way to create annotations for resources, and conditionally allow or deny policies based on whether a resource has a specific tag.
In Managed Airflow (Gen 3), it is now possible to
create Kubernetes Secrets with the kubernetes.io/dockerconfigjson
secret type
through the beta Cloud Composer API, in addition to the default
Opaque secret type. For more information, see Manage Kubernetes Secrets.
(Airflow 3) The INFO log level filter in Airflow UI now correctly displays log messages with this logging level.
New Airflow builds are available in Managed Airflow (Gen 3):
New images are available in Managed Airflow (Gen 2):
The following Managed Airflow versions and builds have reached their end of support period: composer-3-airflow-2.9.3-build.24, composer-2.13.2-airflow-2.9.3, composer-2.13.2-airflow-2.10.5.
For Exadata Database Service on Exascale infrastructure, Base Database Service, and Goldengate, Oracle Database@Google Cloud adds the following regions and zones:
australia-southeast2-a-r2 (Melbourne, Australia)europe-west8-b-r1 and europe-west8-a-r1 (Milan, Italy)For a list of supported locations, see Supported regions and zones.
Secure Source Manager enforces a daily rate quota on the size of code scanned for credentials per instance. The default quota limit is 1 GB per day per instance. For more information, see Quotas and limits.
Spanner Graph supports a suite of graph algorithms covering use cases such as fraud detection, entity resolution, and recommendations. You can invoke graph algorithms as built-in function calls in Spanner Graph queries. You can save your output to Cloud Storage or Spanner. This feature is available in Preview.
Agent Search: Table and image annotation in layout parser
The table annotation and image annotation features of the layout parser are generally available (GA).
You can ask the layout parser to annotate images or tables with a descriptive block of text describing the information in the image or table. The annotation can then be used as a source in a generated answer. For more information, see Layout parser.
]]>The Data Science Agent (DSA) for Colab Enterprise and BigQuery is now generally available (GA).
For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map, providing more granular control over caching. You can now apply specific caching logic based on hostnames, URL paths, HTTP headers, and query parameters. This feature is Generally Available.
For more information, see Cache policies in URL maps.
For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map. This provides granular control over caching policies based on criteria like hostname, URL path, HTTP headers, and query parameters. This feature is in General availability.
For more information, see Configure a Cloud CDN cache policy.
Frontend configuration for load balancing incoming IPv6 traffic is now supported for the following load balancers:
This feature is in Preview.
For more information, see the following documentation:
Cloud Trace in Observability Analytics is generally available (GA). Observability Analytics lets you query and analyze your trace data by using SQL. You can chart your query results, save your queries, and join your trace and log data.
For more information, see the following documents:
The Observability API is generally available (GA). This API lets you configure the following:
For more information, see the following documents:
Trace scopes are generally available (GA). For more information, see Create and manage trace scopes.
The following remote MCP servers automatically generate a trace span for
tools/call operations. These spans can help you understand the behavior of
your agentic applications. For more information, see
Investigate MCP calls using Trace.
Data Science Agent
Generally available: Use the Data Science Agent to automate exploratory data analysis, perform machine learning tasks, and deliver insights from within a Colab Enterprise notebook. To get started, see Use the Data Science Agent.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Added support for the swiotlb=any kernel command line parameter.
Update sys-process/audit to v3.0.9.
Updated glib to v2.86.5.
Updated sys-libs/pam to v1.5.3.
Upgraded net-misc/openssh to v10.0_p2.
Fixed a crash that occurs when using the configfile or
source GRUB2 commands when Secure Boot is enabled.
Fixed a race condition triggered by ext4 online resize that rarely causes machines to fail to boot.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-31419 in the Linux kernel.
Fixed CVE-2026-31430 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43074 in the Linux kernel.
Fixed CVE-2026-43088 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed EFI variable OOB read in grub config parsing.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-32289,CVE-2026-32282,CVE-2026-32288,CVE-2026-27142,CVE-2025-61728,CVE-2026-27139,CVE-2026-39817,CVE-2026-39819,CVE-2025-68119,CVE-2025-61732,CVE-2026-32280,CVE-2026-25679,CVE-2026-27144,CVE-2026-32283,CVE-2026-27140,CVE-2025-61731,CVE-2026-32281,CVE-2025-61726,CVE-2025-68121,CVE-2026-27143,CVE-2026-39826,CVE-2026-39823,CVE-2026-39825,CVE-2026-33814,CVE-2026-39820,CVE-2026-42499,CVE-2026-39836.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Added support for the swiotlb=any kernel command line parameter.
Update sys-process/audit to v3.0.9.
Updated glib to v2.86.5.
Upgrade app-admin/fluent-bit to v3.2.10
Updated sys-libs/pam to v1.5.3.
Upgraded net-misc/openssh to v10.0_p2.
Fixed a crash that occurs when using the configfile or
source GRUB2 commands when Secure Boot is enabled.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-31419 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43088 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-42499,CVE-2026-39820,CVE-2026-39826,CVE-2026-33814,CVE-2026-39836,CVE-2026-39823,CVE-2026-39825,CVE-2026-39817,CVE-2026-39819.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Update sys-process/audit to v3.0.9.
Upgrade app-admin/fluent-bit to v3.2.10
Updated glib to v2.86.5.
Updated sys-libs/pam to v1.5.3.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-23473 in the Linux kernel.
Fixed CVE-2026-31449 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43109 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-33814,CVE-2026-39823,CVE-2026-39826,CVE-2026-39817,CVE-2026-39819,CVE-2026-39820,CVE-2026-39836,CVE-2026-42499,CVE-2026-39825.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Update sys-process/audit to v3.0.9.
Updated glib to v2.86.5.
Updated sys-libs/pam to v1.5.3.
Upgraded app-containers/containerd from v1.7.29 to v1.7.31.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-23473 in the Linux kernel.
Fixed CVE-2026-31449 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43109 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-39817,CVE-2026-39825,CVE-2026-33814,CVE-2026-39819,CVE-2026-39826,CVE-2026-39823,CVE-2026-39820,CVE-2026-42499,CVE-2026-39836.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
Gemini Enterprise: Filter support for Google Sites data stores (Preview)
You can add Site URL prefix filters to Google Sites data stores in Gemini Enterprise to include or exclude specific sites from search results.
This feature is in Public Preview. For more information, see Add filters to a Google Sites data store.
Gemini Enterprise: Gemini Enterprise assist is deprecated
The Gemini Enterprise assist feature is deprecated and shut down. Users can now find comprehensive and relevant answers directly in the Gemini Enterprise documentation.
Gemini Enterprise: Data store for PagerDuty (Preview)
You can connect PagerDuty data stores to Gemini Enterprise.
Support for PagerDuty data stores is in Public Preview. For more information, see Connect PagerDuty.
Gemini Enterprise: Administrator control for Gemini 3.5 Flash
Gemini Enterprise administrators can use the feature management toggle to turn on or turn off Gemini 3.5 Flash, controlling its visibility in the Gemini Enterprise app chat box.
The feature management toggle for Gemini 3.5 Flash will not be available after June 8, 2026. Starting June 8, 2026, Gemini 3.5 Flash is enabled by default and cannot be turned off for users in the Gemini Enterprise app.
For more information about feature controls, see Manage features on the web app.
The Gemini Deep Research Agent released in Preview
The Gemini Deep Research Agent has been released in Preview. The Gemini Deep Research Agent is a managed AI agent that plans, executes, and synthesizes complex, multi-step research workflows across the public web and private enterprise data to generate comprehensive, cited reports.
For more information, see Use the Gemini Deep Research Agent.
Agent Platform Sandboxes
Additional Agent Platform sandbox features are now available:
Identify the agents with the most content security violations
The Security dashboard displays the top 10 agents with the most content violations detected by Model Armor. The list shows the agent ID of each agent and the number of violations detected for that agent. For more information, see Monitor content security.
Vertex AI Extensions deprecation
Vertex AI Extensions is deprecated and will be shut down after November 26, 2026. We recommend migrating to Agent Platform to avoid service disruption.
Google Cloud CCaaS 4.35
We've released version 4.35 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
This release addresses the following issues:
Fixed an issue where URLs copied from Microsoft Word into SMS chat sessions were incorrectly formatted, causing links to merge with adjacent text.
Fixed an issue with Alvaria campaigns where the dialer didn't correctly use the country code from the @COUNTRYCODE field when selecting the contact number to dial.
Fixed an issue where live transcription didn't resume after an agent enabled and then disabled redaction during IVR payment card collection.
Fixed an issue where agents couldn't upload PDF files in chat sessions.
Fixed an issue where end-users encountered errors or empty details when accessing call history immediately after a call ended.
Fixed an issue where agents became stuck in the In-call status and
couldn't end calls or change their status, preventing them from handling new
interactions.
Fixed an issue where the deletion of the default greeting message for a language didn't persist.
Fixed a web SDK issue where scheduling a call in one queue incorrectly showed the Reschedule Call screen from a different queue.
Fixed an issue that occurred when a human agent invoked the payment virtual task assistant to collect card details. When the call was transferred back to the human agent, live transcription and sentiment analysis didn't resume.
Fixed an issue where HubSpot ticket creation failed when Skip CRM Account Creation and Skip Account Lookup were enabled. This resulted in tickets being created without an associated phone number.
Fixed an issue where, after transferring a call from one queue to another, the receiving agent's desktop temporarily showed the source queue's agent desktop layout instead of the destination queue's layout.
Fixed an issue where outbound Telnyx calls got stuck on the agent adapter Connecting screen when Agent Voice Detection was enabled globally.
Fixed an issue where Alvaria Advanced Outreach outbound campaign batch files weren't ingested by Contact Center AI Platform, preventing campaigns from loading contacts.
Fixed an issue where a single inbound call in Salesforce created two cases.
Fixed an issue where the Agents dashboard showed an invalid -10 agent
status during wrap-up and after calls.
Fixed an issue where Alvaria WFM Agent Performance reports displayed no agent activity.
Fixed an issue where the NICE WFM exporter reported higher abandoned call counts than Contact Center AI Platform reporting.
Fixed an issue where chats escalated from a virtual agent to a human agent were dismissed shortly after assignment.
Fixed an issue where the Ticket URL column in the Individual Call History CSV report was blank for newly recorded calls, preventing customers from accessing and downloading call recordings from the report.
Fixed an issue where newly created teams couldn't be reordered in the CCAI Platform portal.
Fixed an issue where the agent desktop Previous Interactions panel didn't show Agent Assist summaries from past calls.
Fixed an issue where conversation history didn't display correctly in the agent adapter when a chat was escalated from a virtual agent to a human agent and then a large number of messages were sent by the end-user.
Cloud Storage FUSE CSI driver is now supported for Google Cloud Dedicated
clusters and node pools running GKE version 1.36.0-gke.1266000 and higher. To
use the driver, you must specify the custom-endpoint mount option by using
either the gcsfuse CLI
or the configuration
file format.
For more information, see About Cloud Storage FUSE CSI driver for
GKE.
To monitor the efficiency of the GKE training JobSet, the following two GKE system metrics are available in Preview:
kubernetes.io/jobset/scheduling_goodput: the fraction of time that all the
resources required to run the training JobSet are available.kubernetes.io/jobset/proxy_runtime_goodput: the fraction of time that all
required accelerators are productive. This metric provides an estimate of the
real runtime goodput.For details about GKE metrics, see Kubernetes metrics. For details about goodput metrics that are used to measure efficiency, see Monitor goodput with the ML Goodput Measurement library.
You can also view these new GKE metrics in the JobSet monitoring dashboard.
Data products in Knowledge Catalog is Generally Available (GA). A data product serves as a logical, curated package of data assets and context designed to solve a specific business problem.
This release includes the following new features:
Approval workflows for data product consumption: Data product consumers can browse published data products, submit access requests, and track their status. Data product owners can track, approve, or reject access requests using the Google Cloud Console or the API. For more information, see Use data products and Manage data products.
Automated documentation and insights: Data product owners can leverage Knowledge Catalog data insights and Gemini to automatically generate sample queries, business insights, and documentation templates for data products. For more information, see Create data products.
Service account support: Data product owners can configure service accounts in access groups, and data product consumers can request access for their service accounts. For more information, see Create data products.
Remote Model Context Protocol (MCP) server support (Preview) Data applications and AI agents can programmatically interact with data products. By deploying the Knowledge Catalog remote MCP server, developers can create data products, discover data products, and inspect data product metadata from external IDEs and LLM clients. For more information, see Access data products using Model Context Protocol.
Managed Service for Apache Spark (formerly Dataproc on Compute Engine): The following subminor image versions announced on May 19, 2026 have been rolled back: