Release 6.3.84 is now available for all regions.
]]>Backup and DR Service now supports customer-managed encryption keys (CMEK) for Cloud SQL enhanced backups. This allows you to protect your Cloud SQL backups using the same KMS key as the source instance, with decoupled IAM permissions anchored to the Backup and DR Service service agent.
The
AI.DETECT_ANOMALIES function
supports calling the function with a single input table that holds both the
historical and target data. This feature is
generally available
(GA).
You can now configure the results field in build config files. This
field allows a build step to store data and then attach that data in an
attestation within the build results after the build has completed.
For more information, see
results.
Starting with version 2.66.0, the Ops Agent can export your logs and metrics by using the OpenTelemetry-based Telemetry API rather than by using the Cloud Logging API and Cloud Monitoring API. During the preview Preview period, you can opt-in to using the Telemetry API. For more information, see Use the Telemetry API.
Starting with version 2.66.0, the Ops Agent can export your metrics and logs by using the OpenTelemetry-based Telemetry API rather than by using the Cloud Monitoring API and Cloud Logging API. During the preview Preview period, you can opt-in to using the Telemetry API. For more information, see Use the Telemetry API.
Manage agent revisions and traffic splitting
Agent revisions and traffic splitting are now available in public preview. You can create immutable revisions of deployed agents, and split traffic between the different active revisions. This enables canary deployments and safe testing of new agent versions. For more information, see Manage revisions and traffic.
ve1 hardware End-of-Life (EoL) migration guide: You can now refer to the public
documentation to migrate workloads from retiring ve1 hardware. First-generation ve1 bare metal nodes are reaching the end of their useful life on a rolling basis. When your hardware is scheduled for retirement, you receive an EoL notification containing timelines and instructions to migrate your clusters.
Column-level lineage for Dataproc is generally available (GA). This feature enables you to track the flow of data between individual columns in BigQuery, BigLake external tables, Cloud Storage buckets, and other resources as reported by Dataproc clusters and Serverless for Apache Spark. For more information, see About data lineage.
The Data Lineage API is now updated with the following changes:
SearchLinks method accepts multiple source and target entity references as search criteria.For more information, see the Data Lineage API reference for REST and RPC.
Vulnerability Assessment for Google Cloud supports scanning GKE clusters that have Image streaming enabled.
Agent Search: Agent Search for healthcare is deprecated
Agent Search for healthcare is deprecated.
For a comprehensive, managed solution, consider building custom search apps on Agent Search. Or, if you require fine-grained control over the underlying retrieval mechanisms and are prepared for a more customer-managed integration, use Agent Retrieval (formerly known as Vector Search 2.0).
]]>Support for the AI.KEY_DRIVERS function
preview
has been temporarily disabled. We are working to restore this feature as soon as
possible.
The google-api-core preinstalled package versions from 2.28.0 to 2.30.2 might
cause degraded environment performance, which can result in longer times to
execute a task and longer times to move a task from the queued to the executing
state.
Affected Managed Airflow (Gen 3) builds:
Affected Managed Airflow (Gen 2) builds:
We recommend to upgrade your environment to the following versions, which contain a version of the package where the problem is fixed or isn't present:
As a workaround, you can manually install a later version of the
google-api-core package to an affected environment by specifying >=2.30.3
as the required version.
The Cloud KMS Encryption metrics dashboard and project-level key tracking are generally available. You can use the Encryption metrics dashboard to review summaries and details of your keys used in customer-managed encryption key (CMEK) integrations and the resources that they protect. The Encryption metrics dashboard and the key Usage tracking tab support both centralized key management using a dedicated key project and delegated key management using keys stored in the same projects as the resources that they protect.
For more information about the Encryption metrics dashboard, see View encryption metrics. For more information about project-level key tracking, see View key usage.
You can use three new variables in custom request and response headers for Application Load Balancers:
asn: The Autonomous System Number (ASN) associated with the client's IP
address.
cloud_trace_id: The trace ID extracted (or generated) from the HTTP request
header.
hostname: The original hostname specified by the client in the Host HTTP
request header. This allows preservation of the original host header
(equivalent to X-Forwarded-Host).
These variables are available for both global external Application Load Balancers and classic Application Load Balancers.
For more information, see Create custom headers in backend services.
Various bug fixes and minor product enhancements.
Priority PayGo is generally available (GA)
Priority PayGo is a consumption option that provides more consistent performance than standard PayGo without the upfront commitment of Provisioned Throughput. It is ideal for business-critical workloads with fluctuating or unpredictable traffic patterns.
For more information, see Priority PayGo.
GKE now supports concurrent node pool upgrades for clusters (Preview). By default, GKE automatically upgrades one node pool at a time. To decrease the total time required to upgrade your cluster, you can now configure the maximum number of node pools that GKE auto-upgrades simultaneously. This feature is supported for both Standard and Autopilot clusters. For more information, see Configure concurrent node pool upgrades.
Managed OpenTelemetry on GKE now supports the collection of multimodal prompts and responses (Preview) for LangGraph and Agent Development Kit (ADK) agents. You can view and analyze the data in the Trace Explorer and BigQuery platforms. For more details, see Collect multimodal prompts and responses data.
Container-Optimized OS (COS) milestone 129 and higher no longer include the
kubectl binary in the /usr/bin/ directory.
The Spanner change streams default retention period has been increased from 1 day to 7 days. This change affects both new and existing change streams that don't have a retention period explicitly set. You can always specify the retention period through create change stream or alter change stream DDL statements to override the default.
You can populate new PostgreSQL dialect databases in an existing Spanner instance from sample datasets that help you explore Spanner capabilities.
For more information, see Create and manage databases.
]]>On May 13, 2026 we released an updated version of the Apigee hybrid software, v1.16.2.
| Bug ID | Description |
|---|---|
| 485738013 | Fixed an issue where API products with LLMTokenQuota operations were not enforcing model-based access restrictions, allowing requests to models not listed in the product to bypass the operations check. |
| 479288727 | Fixed an issue where the Apigee UI and API reported a 10+ minute delay in deployment status after performing a proxy deployment. |
| 499223890 | Fixed an issue where the runtime could not handle HTTP proxy passwords containing special characters in Apigee hybrid 1.16.0-hotfix-1 configurations. |
| 500861814 | Fixed an issue that caused excessive Message Processor (MP) upscaling and failure to downscale. |
| 510438578 | Fixed an ingestion-blocking issue with apigee-stackdriver-prometheus-sidecar in Apigee hybrid 1.16.1. |
Various security and CVE fixes are included in this release.
Proxy version csm_mesh_proxy.20260423_RC03 is rolling out to all Managed Cloud Service Mesh release channels over the next week.
Fixed a bug that prevented agent mode from working on Cloud Workstations.
Various bug fixes and minor product enhancements.
Fixed a bug that prevented agent mode from working on Cloud Workstations.
Various bug fixes and minor product enhancements.
Correction: Gemini Enterprise: EU region for Gemini 3 models is coming soon
The availability of Gemini 3.1 Pro and 3 Flash in the EU region has been updated to "coming soon". Previously, it was listed as currently available.
For more information, see: Using Gemini 3.1 Pro and 3 Flash in Limited Availability.
Mobile SDK for iOS version 2.15.4 patch
This patch includes the following updates for the mobile SDK for iOS:
Fixed an issue where the iOS app crashed during disconnections.
Updated the Twilio Voice and Chat SDKs.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2458000 | cos-117-18613-534-110 | cos-117-18613-534-110 release notes |
| 1.31.14-gke.1868000 | cos-117-18613-534-110 | cos-117-18613-534-110 release notes |
| 1.32.13-gke.1492000 | cos-117-18613-534-110 | cos-117-18613-534-110 release notes |
| 1.33.11-gke.1197000 | cos-121-18867-381-118 | cos-121-18867-381-118 release notes |
| 1.34.7-gke.1499000 | cos-125-19216-220-185 | cos-125-19216-220-185 release notes |
| 1.35.3-gke.2190000 | cos-125-19216-220-185 | cos-125-19216-220-185 release notes |
| 1.36.0-gke.1759000 | cos-beta-129-19506-120-52 | cos-beta-129-19506-120-52 release notes |
Azure Active Directory: Version 28.0
ConnectWise: Version 22.0
EmailV2: Version 41.0
EnvironmentCommon imports to TIPCommon.envcommon.Google Chronicle: Version 82.0
Validate Dynamic List Entries parameter for the following connector:
Jira: Version 57.0
MITRE ATT&CK: Version 19.0
ServiceNow: Version 65.0
Vertex AI Search: Weight searchable fields (Preview)
You can specify a weight for searchable fields in your schema to indicate their relative importance in search results.
This feature is in Public Preview. For more information, see Weight searchable fields.
Agent Search: Stream answers using agentic retrieval (GA with allowlist)
You can use agentic retrieval with the streaming answer method.
Agentic retrieval can return better results as compared to the standard streaming answer method. This is because agentic retrieval can do multi-pass searches across multiple data stores. The agent plans and executes searches sequentially, choosing the best tools, such as Google Search and Google Maps, for each step. Agentic retrieval also enables multi-turn search queries (follow-up questions) on blended search apps.
For more information, see Stream answers using agentic retrieval.
This feature is GA with an allowlist, available for select customers.
reCAPTCHA Mobile SDK v18.9.0 is available for Android. This version includes the following updates:
Improvements to SDK latency and reliability.
Score distribution calibration improvements.
Removes the need for desugaring and raises the minimum supported Android API level to 24 (Android 7.0).
MCP tools support for Agentic AI workflows (Preview)
API hub now exposes read-only APIs as Model Context Protocol (MCP) tools. Agentic AI applications can now use the standard MCP tools/list and tools/call methods to list and inspect API hub resources, including APIs, specs, versions, and deployments.
This feature is in Public Preview. For more information, see API hub MCP reference.
On May 12th, 2026, we released an updated version of Apigee (1-17-0-apigee-7).
| Bug ID | Description |
|---|---|
| 511325186, 505460952, 502250074, 491231600, 497357701, 509560467, 496969438, 495897297, 495033618, 511332617, 505183435, 500735547, 500890221 | Security fix for Apigee infrastructure. This addresses the following vulnerabilities: |
| Bug ID | Description |
|---|---|
| 480260846 | Improved XML processing security to prevent external entity injection. |
| 510061670, 505723451, 503723862, 503817773 | Improved security in OAuthV2 policy. |
| 505645076 | Fixed a security issue in OAuthV2 policy to prevent unauthorized token injection. |
| 503047744, 410026138, 496021751 | Improved security isolation for PythonScript policy execution. |
| 469694040 | Fixed an issue where custom security policies could intermittently fail to apply, and improved security policy resolution to ensure correct policy selection. |
| 502971220 | Fixed a concurrency issue to improve stability under high load. |
| 509692565 | Fixed content-length header handling in external processing to prevent incorrect values. |
| 282207038 | Improved performance while listing apps on scale. |
| 501102321 | Fixed recurring fee calculation in monetization to correctly apply rate plan overrides. |
| 449729840, 502604752 | Fixed streaming response handling to prevent race conditions in bidirectional flows. |
| 507167063 | Fixed preservation of client request IDs during proxy chaining. |
| 507580304 | Improved IPv4 address normalization for consistent access control evaluation. |
| 502692267 | MCP to handle /.well-known/oauth-protected-resource/mcp resource paths. |
| 430170696 | Changed the error response from 500 to 401 for expired consumer keys. |
| 480770263 | Fixed SpikeArrest policy to handle edge cases that previously caused 500 errors. |
| 500861814 | Gracefully handle connection failures involving the forward proxy, resolving an issue where port exhaustion could trigger aggressive retry storms, excessive CPU usage, and unnecessary scaling. |
| 500313309 | Fixed SSE streaming detection logic. |
| 494304819 | Hardened message processor management ports by blocking external access to internal management endpoints. |
| 469642464 | Improved input validation in AI protection policies to prevent Server-Side Request Forgery. |
| 472526232 | Improved SAML assertion validation. |
| 494590020 | Added enforcement for product association in OAuthV2 flow. Apps without valid products are now denied. |
| 479288727 | Improved performance and reduced redundant work in ingress status watcher. |
| N/A | Updates to infrastructure and libraries. |
You can now use the
AI.COUNT_TOKENS function
to estimate the token count of text input that you provide. For some generative
AI functions, you can view
the total number of input, output, thought, and cache tokens for each modality
processed by the query. These features are in
Preview.
The latest tag of generic builder
uses the google-24 stack.
Gemini-powered conversion quality assessments for heterogeneous migrations in Database Migration Service are now generally available (GA).
For more information, see Convert SQL with Gemini in Database Migration Service.
The command for upgrading Cloud SQL instances to the new network architecture has been re-enabled.
For more information, see Upgrade an instance to the new network architecture.
The command for upgrading Cloud SQL instances to the new network architecture has been re-enabled.
For more information, see Upgrade an instance to the new network architecture.
The command for upgrading Cloud SQL instances to the new network architecture has been re-enabled.
For more information, see Upgrade an instance to the new network architecture.
A vulnerability in AMD firmware (CVE-2025-61971, CVE-2025-61972, CVE-2024-36315) that could compromise SEV-SNP guests has been addressed. For more information, see the GCP-2026-031 security bulletin.
A vulnerability (CVE-2025-54518) about potential corruption within the micro-operation (OP) cache in Zen 2 microarchitecture processors was discovered and has been addressed. For more information, see the GCP-2026-032 security bulletin.
Gemini Enterprise: Data store for GitLab (Preview)
You can now connect GitLab data stores to Gemini Enterprise.
Support for GitLab data stores is in Public Preview. For more information, see Connect GitLab.
Google Cloud CCaaS prerelease notes
Here are the prerelease notes for the next version of Google Cloud CCaaS. When we release this version, we expect the new capabilities to be as shown here.
Agent status inheritance for HubSpot users
You can configure CCAI Platform to synchronize agent statuses with HubSpot agent statuses in real time. You can also map HubSpot agent statuses to Contact Center AI Platform statuses (and vice versa) to account for different agent status naming conventions.
Administrators: A new Settings > Developer Settings > Agent Status Inheritance pane is available when you set Settings > Developer Settings > Agent Platform to HubSpot.
For call transfers in HubSpot, the ticket owner is automatically updated
When a call is transferred from one agent to another with a HubSpot integration, HubSpot tickets now automatically update to reflect the new ticket owner. This provides an accurate record of ownership throughout the interaction lifecycle. No configuration is required.
Agent synchronization for HubSpot
You can now configure your instance to use the default administrator user to synchronize CCAI Platform and HubSpot agents. CCAI Platform can use the default administrator user to create and update HubSpot accounts and records, even when a matching HubSpot profile can't be found for an agent.
Administrators: A new Default User section is available in the Settings > Developer Settings > CRM pane.
User experience change: When agent synchronization is configured, a new Authorize button appears on the agent adapter.
This release addresses the following issues:
Fixed an issue where launching a task virtual assistant during a chat caused the agent's screen to freeze.
Fixed an issue where call transcripts from CX Agent Studio agent conversations were added to CRM records as garbled and unreadable text, with repeated words and incorrect turn order.
Fixed an issue where the Wait Time custom field on Zendesk tickets displayed an incorrect value when using custom fields for Account and Record.
Fixed an issue where agents assigned a direct SMS-capable line didn't
receive visual notifications for incoming SMS chats in the agent adapter
while their status was set to Unavailable.
Fixed an issue where some chat transcripts couldn't be downloaded from the Completed Chats page.
Fixed an issue where customer calls were unexpectedly abandoned during payment transactions when DTMF inputs were provided.
Fixed an issue where agents heard repeated call notification sounds during active calls, even when no new call was assigned.
Fixed an issue where only English IVR queues appeared when configuring agent-specific deflection settings, even when other language queues were available.
Fixed an issue where email messages in queues displayed a blank white panel when opened.
Fixed an issue where chat transcript and metadata files were generated as empty files, causing API timeouts and blocking reporting pipelines.
Fixed an issue where chat sessions that ended due to end-user inactivity were marked as Disconnected by end user instead of Timeout: end user stopped responding.
Fixed an issue where agents couldn't receive more than 12 concurrent chats despite being configured for up to 30.
Fixed an issue where virtual agent calls were routed back to the original queue instead of being handled as expected.
Fixed an issue that occurred when a third party was added to a call. After all participants left the call, the call still appeared to be connected.
Fixed an issue where cascade conditions for agent queues didn't correctly enforce the minimum number of available UK agents before allowing calls to cascade from the US queue, resulting in calls being routed incorrectly.
Fixed an issue where bulk user import incorrectly limited the chat concurrency value to the global default, preventing valid per-agent settings from being uploaded.
BigQuery Connector for SAP version 2.14
Version 2.14 of the BigQuery Connector for SAP is generally available (GA).
To protect configuration data, this version assigns the BigQuery Connector for SAP
configuration tables to the custom authorization group ZSGC.
You must ensure your user roles include authorization for this group to maintain access.
For more information, see What's new with BigQuery Connector for SAP.
]]>AlloyDB now offers extended support for clusters running major PostgreSQL versions that have reached their end-of-life (EOL) as defined by the PostgreSQL community. Extended support provides an additional three years of support after the end of regular support, giving you more time to plan and perform major version upgrades. For more information, see Extended support for AlloyDB for PostgreSQL.
Removed the readinessProbe and deprecated health checks for the otel-agent sidecar to align its configuration with other containers.
Changed logLevel configuration to support values as low as -10 to reduce log verbosity in Config Sync containers.
Added support for token-based authentication when using OCI images from third-party registries.
Cloud SQL for MySQL now supports regional endpoints for the Cloud SQL Admin API. This feature lets you direct your API calls to a region-specific endpoint. Using a regional endpoint enhances data locality and helps meet strict compliance expectations. For more information, see Cloud SQL regional endpoints.
This feature is in Preview.
Cloud SQL for PostgreSQL now supports regional endpoints for the Cloud SQL Admin API. This feature lets you direct your API calls to a region-specific endpoint. Using a regional endpoint enhances data locality and helps meet strict compliance expectations. For more information, see Cloud SQL regional endpoints.
This feature is in Preview.
Cloud SQL for SQL Server now supports regional endpoints for the Cloud SQL Admin API. This feature lets you direct your API calls to a region-specific endpoint. Using a regional endpoint enhances data locality and helps meet strict compliance expectations. For more information, see Cloud SQL regional endpoints.
This feature is in Preview.
Google Cloud Observability has expanded the supported locations for observability buckets, which store your trace data, to include the following:
For a list of supported locations, see Locations for observability buckets.
You can purchase Provisioned Throughput for Gemma 4. To learn more, see the list of supported open models.
You can now use Privileged Access Manager (PAM) to delete clusters in the private clouds.
Google Distributed Cloud (software only) for VMware 1.34.400-gke.88 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.34.400-gke.88 runs on Kubernetes v1.34.6-gke.200.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.34.400-gke.88:
gkectl check-config command failed
during preflight checks when bundled ingress was disabled and the
loadBalancer.vips.ingressVIP field was left blank. This failure
occurred because the validation process incorrectly attempted to generate a
network configuration for test VMs using the empty VIP, resulting in an
invalid command (such as ip addr add /32) and causing test VM
initialization to fail.
Google Distributed Cloud (software only) for bare metal 1.34.400-gke.88 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.34.400-gke.88 runs on Kubernetes v1.34.6-gke.200.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following features were added in 1.34.400-gke.88:
The following issues were fixed in 1.34.400-gke.88:
etcd-events pod read the stale data directory when it started
and attempted to reuse the old member ID to rejoin the cluster instead of the
new one. Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures the /var/lib/etcd-events directory is
cleared upon failure, and adds retry logic to kubeadm-reset to improve resiliency against transient API errors.
containerd restarts. After the fix, tasks are locked and run
sequentially to ensure each task completes successfully before the next
begins. Each lock is held for up to 20 minutes or until the task reaches
success or failure. To bypass this safety mechanism, you can run tasks
concurrently by adding baremetal.cluster.gke.io/concurrent-machine-update: "true"
to your cluster.
Terminating
state. Because the Kubernetes Eviction API rejects operations in terminating
namespaces, the cluster controller entered an infinite retry loop. The fix
updates the drain process to skip eviction for pods in terminal phases,
allowing the upgrade to proceed normally.Compliance Manager can be enabled for a single project. For more information, see Enable Compliance Manager.
New Standard tier activations at the organization level support the enhanced Standard tier features. New Standard tier activations at the project level continue to support Standard-legacy tier features. For more information, see Standard tier enhanced and automatically activated for some customers.
]]>| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
Fixed CVE-2026-43284 (dirtyfrag) in the Linux kernel.
Apply hardening sysctls on cchost boards.
Enabled mm hardening kernel cmdlines on cchost.
Fixed CVE-2026-23255 in the Linux kernel.
Fixed CVE-2026-23302 in the Linux kernel.
Fixed CVE-2026-23458 in the Linux kernel.
Fixed CVE-2026-31614 in the Linux kernel.
Fixed CVE-2026-31694 in the Linux kernel.
Fixed CVE-2026-31700 in the Linux kernel.
Fixed CVE-2026-31708 in the Linux kernel.
Fixed CVE-2026-31716 in the Linux kernel.
Fixed CVE-2026-31733 in the Linux kernel.
Fixed CVE-2026-31738 in the Linux kernel.
Fixed CVE-2026-31752 in the Linux kernel.
Fixed CVE-2026-31774 in the Linux kernel.
Fixed CVE-2026-31781 in the Linux kernel.
Fixed CVE-2026-35385 and CVE-2026-35386 in net-misc/openssh.
Fixed CVE-2026-43012 in the Linux kernel.
Fixed CVE-2026-43013 in the Linux kernel.
Fixed CVE-2026-43016 in the Linux kernel.
Fixed CVE-2026-43024 in the Linux kernel.
Fixed CVE-2026-43026 in the Linux kernel.
Fixed CVE-2026-43027 in the Linux kernel.
Fixed CVE-2026-43028 in the Linux kernel.
Fixed CVE-2026-43030 in the Linux kernel.
Fixed CVE-2026-43035 in the Linux kernel.
Fixed CVE-2026-43037 in the Linux kernel.
Fixed CVE-2026-43038 in the Linux kernel.
Fixed CVE-2026-43040 in the Linux kernel.
Fixed CVE-2026-43043 in the Linux kernel.
Fixed CVE-2026-43046 in the Linux kernel.
Fixed CVE-2026-43054 in the Linux kernel.
Fixed CVE-2026-43057 in the Linux kernel.
Upgraded cos-gpu-installer to v2.6.8.
Upgraded dev-libs/libgcrypt to v1.10.4 to fix CVE-2026-41989.
]]>Starting August 11, 2026, the billing label for the BigQuery Data Transfer
Service SKU will be updated from goog-bq-feature-type: DATA_TRANSFER_SERVICE
(uppercase) to goog-bq-feature-type: data_transfer_service (lowercase) to
provide a more unified and complete view of your costs. This update expands the
scope of the label to cover all costs associated with the BigQuery Data Transfer
Service, including data transfer orchestration, data load operations, and data
merge operations.
To ensure uninterrupted cost visibility, update your billing exports, dashboards, and reporting queries to include both these labels.
You can configure a workstation authorization URL for workstation clusters.
When you specify an authorization URL, unauthorized HTTP or HTTPS requests received by workstation VMs in the cluster are redirected to this endpoint. The endpoint is then responsible for retrieving an access token and redirecting back to the original hostname with the token.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
This is an LTS Refresh release.
Fixed CVE-2026-43284 (dirtyfrag) in the Linux kernel.
Apply hardening sysctls on cchost boards.
Enabled mm hardening kernel cmdlines on cchost.
Upgraded dev-db/sqlite to v3.51.2.
Upgraded dev-libs/expat to v2.7.4.
Upgraded net-libs/libnetfilter_conntrack to v1.1.1.
Upgraded sys-libs/libseccomp to v2.6.0-r3.
Upgraded sys-process/procps to v4.0.6.
Fixed CVE-2026-31693 in the Linux kernel.
Fixed CVE-2026-31694 in the Linux kernel.
Fixed CVE-2026-31700 in the Linux kernel.
Fixed CVE-2026-31708 in the Linux kernel.
Fixed CVE-2026-31716 in the Linux kernel.
Fixed CVE-2026-31738 in the Linux kernel.
Fixed CVE-2026-31752 in the Linux kernel.
Fixed CVE-2026-31774 in the Linux kernel.
Fixed CVE-2026-31781 in the Linux kernel.
Fixed CVE-2026-35385 and CVE-2026-35386 in net-misc/openssh.
Fixed CVE-2026-43012 in the Linux kernel.
Fixed CVE-2026-43013 in the Linux kernel.
Fixed CVE-2026-43016 in the Linux kernel.
Fixed CVE-2026-43024 in the Linux kernel.
Fixed CVE-2026-43026 in the Linux kernel.
Fixed CVE-2026-43027 in the Linux kernel.
Fixed CVE-2026-43028 in the Linux kernel.
Fixed CVE-2026-43030 in the Linux kernel.
Fixed CVE-2026-43035 in the Linux kernel.
Fixed CVE-2026-43037 in the Linux kernel.
Fixed CVE-2026-43038 in the Linux kernel.
Fixed CVE-2026-43040 in the Linux kernel.
Fixed CVE-2026-43043 in the Linux kernel.
Fixed CVE-2026-43057 in the Linux kernel.
Upgraded cos-gpu-installer to v2.6.8.
Upgraded dev-libs/libgcrypt to v1.10.4 to fix CVE-2026-41989.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.8 | See List |
Fixed CVE-2026-43284 (dirtyfrag) in the Linux kernel.
Fixed CVE-2026-31693 in the Linux kernel.
Fixed CVE-2026-31694 in the Linux kernel.
Fixed CVE-2026-31700 in the Linux kernel.
Fixed CVE-2026-31708 in the Linux kernel.
Fixed CVE-2026-31738 in the Linux kernel.
Fixed CVE-2026-31752 in the Linux kernel.
Fixed CVE-2026-31781 in the Linux kernel.
Fixed CVE-2026-43013 in the Linux kernel.
Fixed CVE-2026-43016 in the Linux kernel.
Fixed CVE-2026-43024 in the Linux kernel.
Fixed CVE-2026-43026 in the Linux kernel.
Fixed CVE-2026-43027 in the Linux kernel.
Fixed CVE-2026-43028 in the Linux kernel.
Fixed CVE-2026-43030 in the Linux kernel.
Fixed CVE-2026-43035 in the Linux kernel.
Fixed CVE-2026-43037 in the Linux kernel.
Fixed CVE-2026-43038 in the Linux kernel.
Fixed CVE-2026-43040 in the Linux kernel.
Fixed CVE-2026-43043 in the Linux kernel.
Fixed CVE-2026-43054 in the Linux kernel.
Fixed CVE-2026-43057 in the Linux kernel.
Upgraded dev-libs/libgcrypt to v1.10.4 to fix CVE-2026-41989.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.29 | See List |
This is an LTS Refresh release.
Fixed CVE-2026-43284 (dirtyfrag) in the Linux kernel.
Upgraded net-fs/cifs-utils to v7.5.
Upgraded sys-libs/talloc to v2.4.4.
Upgraded net-libs/libnetfilter_conntrack to v1.1.1.
Upgraded net-libs/libtirpc to v1.3.7-r2.
Upgraded sys-apps/acl to v2.3.2-r3.
Upgraded sys-libs/libseccomp to v2.6.0-r3.
Upgraded sys-process/procps to v4.0.6.
Fixed CVE-2026-35385 in net-misc/openssh.
Upgraded dev-libs/libgcrypt to v1.10.4 to fix CVE-2026-41989.
Runtime sysctl changes:
Various bug fixes and minor product enhancements.
Gemini Enterprise: Box data store using data federation
Connecting a Box data source with Gemini Enterprise using data federation is generally available (GA).
For more information, see Set up a Box data store.
Gemini Distillation Service Early Access
We're introduction Gemini Distillation Service in Early Access. For information about requesting access, see Gemini Distillation Service.
Improvements to the Provisioned Throughput orders page have now made it possible to:
See View standard Provisioned Throughput orders.
You can use the IAM recommender to remediate excessive permissions for Google groups by transitioning from permanent role bindings to temporary, on-demand entitlements in Privileged Access Manager (PAM). This feature is in Preview.
To learn how to remediate excessive permissions, see Remediate excessive permissions with Privileged Access Manager.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) names remain unchanged. For more information, see Knowledge Catalog overview.
Policy Controller version 1.23.2 is now available.
You can use the IAM recommender to remediate excessive permissions for Google groups by transitioning from permanent role bindings to temporary, on-demand entitlements in Privileged Access Manager (PAM). This feature is in Preview.
To learn how to remediate excessive permissions, see Remediate excessive permissions with Privileged Access Manager.
Storage Transfer Service now supports AWS GovCloud (US) regions, including
us-gov-east-1 and us-gov-west-1. You can now transfer data from Amazon S3
buckets located in GovCloud regions using both batch and event-driven
transfers.
For more information, see Configure access to a source: Amazon S3 and Event-driven transfers from AWS S3.
]]>Unified MCP Proxy Configuration in API hub (Preview)
API hub allows you to create and deploy Model Context Protocol (MCP) discovery proxies. Select specific API operations from your registered catalog, bundle them into an MCP server, and automatically deploy them as discovery proxies in your Apigee project. This feature eliminates the need to manually author MCP specifications in Apigee.
This feature is in Public Preview. For more information, see Manage MCP proxies.
You can use Aerospike migration tools to migrate data from Aerospike to Bigtable with minimal or zero downtime. This feature is available in Preview. For more information, see Migrate Aerospike to Bigtable.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.161 | v24.0.9 | v1.7.27 | See List |
Fixed CVE-2026-23411 in the Linux kernel.
Fixed CVE-2026-31738 in the Linux kernel.
Fixed CVE-2026-31752 in the Linux kernel.
Fixed CVE-2026-43013 in the Linux kernel.
Fixed CVE-2026-43024 in the Linux kernel.
Fixed CVE-2026-43026 in the Linux kernel.
Fixed CVE-2026-43027 in the Linux kernel.
Fixed CVE-2026-43028 in the Linux kernel.
Fixed CVE-2026-43030 in the Linux kernel.
Fixed CVE-2026-43035 in the Linux kernel.
Fixed CVE-2026-43037 in the Linux kernel.
Fixed CVE-2026-43038 in the Linux kernel.
Fixed CVE-2026-43040 in the Linux kernel.
Fixed CVE-2026-43043 in the Linux kernel.
Fixed CVE-2026-43054 in the Linux kernel.
Fixed CVE-2026-43057 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.8 | See List |
Fixed CVE-2026-35385 in net-misc/openssh.
Upgraded cos-gpu-installer to v2.6.8.
A Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform allows an authenticated user with specific roles to escalate privileges and potentially take over a project using a maliciously crafted playbook import. This vulnerability was patched on 15 March 2026, and no customer action is needed.
Gemini Enterprise: Data store for Google Sites (Preview)
You can connect Google Sites data stores to Gemini Enterprise.
Support for Google Sites data stores is in Public Preview. For more information, see Sync from Google Sites.
Gemini Enterprise: Multiple API endpoints for the Integration Platform were inadvertently exposed.
This issue has been resolved, and access has been restricted. No action is required from external customers.
Gemini 3.1 Flash-Lite is now generally available
Our most cost-efficient Gemini model, 3.1 Flash-Lite, is out of preview and is now generally available. For technical information on this model, see the model information card.
You can purchase Provisioned Throughput for Gemini 3.1 Flash-Lite. To learn more, see the Provisioned Throughput overview.
Looker 26.8 is expected to include the following changes, features, and fixes:
The ability for dashboard editors to set default row and column limits for dashboard tile downloads and for dashboard viewers to choose to edit these values when downloading the tile is now generally available.
Available in preview, you can publish the Conversational Analytics Explore data agents that you create in Looker to Gemini Enterprise. All users who have the save_agents permission will be granted the publish_agent_externally permission. Note: This feature is not yet available. This release note was updated on May 14, 2026.
Available in preview, you can create and use Conversational Analytics data agents on dashboards. Dashboard agents uses the Production Mode of content when querying Looker dashboards. Note: This feature is not yet available. This release note was updated on May 14, 2026.
The approximate parameter is now supported on Snowflake connections.
Conversational Analytics now supports querying Looker Explores in Development Mode.
An issue has been fixed where queries that used custom calendars with subtotals may have produced incorrect results. Note: This item was updated on May 12, 2026.
An issue has been fixed where Looker could use an aggregate table of incorrect granularity if the SQL of a dimension was defined by using Liquid and if aggregate awareness was enabled. This feature now performs as expected.
An issue has been fixed where users who don't have the see_user_dashboards permission could get a 404 error when viewing the Looker home page. This feature now performs as expected.
An issue has been fixed where only admins could use the Unlock Branch feature. This feature is now available to LookML developers.
An issue has been fixed where the sync_lookml_dashboard API endpoint was not compatible with tabbed dashboards. This feature now performs as expected.
The generic error message that Looker produces when BigQuery OAuth connections are being tested has been updated to encourage checking the correct root cause, such as context-aware access restrictions. This feature now performs as expected.
An issue has been fixed where enabling Admin Assistant could have no effect. This feature now performs as expected.
An issue has been fixed where Conversational Analytics could not be used when an IP allowlist was enabled.
An issue has been fixed where appending the string /edit to an Explore URL could incorrectly change the Explore UI to the legacy Explore UI. This feature now performs as expected.
The Page breaks between tabs option no longer appears on dashboards that don't have any tabs. This feature now performs as expected.
An issue has been fixed where enabling totals on a query with a period-over-period measure could cause Looker to return a 500 error. This feature now performs as expected.
An issue has been fixed where Looker could incorrectly display string filter options for a time timeframe instead of datetime filter options. This feature now performs as expected.
An issue has been fixed where the Select All button on dashboards filters could appear even if the filter was not populated. This feature now performs as expected.
An issue has been fixed where LookML projects that contained the string "self-service" were incorrectly hidden in the Manage LookML Projects UI. This feature now performs as expected.
An issue has been fixed where navigating dialogs with the Tab key could cause the user to unexpectedly exit the dialog. This feature now performs as expected.
An issue has been fixed where updating dashboard filters could fail to update linked child filters. This feature now performs as expected.
An issue has been fixed where Looker could fail to save Markdown files that were edited in the Looker IDE. This feature now performs as expected.
An issue has been fixed where clearing numeric input fields on the Content Guardrails admin page caused Looker to input a zero that would be appended to subsequent user input. This feature now performs as expected.
An issue has been fixed where clicking links inside an iframe could result in a 401 or 403 error when cookieless embed was enabled. This feature now performs as expected.
An issue has been fixed where LookML dashboards could fail to appear on the home page. This feature now performs as expected.
The Conversational Analytics Advanced Analytics feature, formerly known as the Code Interpreter, is now generally available.
]]>You can configure BigQuery sharing listings for multiple regions, which allows you to share datasets and linked replicas across global geographies simultaneously. For more information, see Create a listing. This feature is generally available (GA).
Starting June 1, 2026, due to changes in Google Ads data retention policies, the BigQuery Data Transfer Service connectors for Google Ads, Search Ads 360, and Google Analytics 4 will stop populating data for backfill runs with dates earlier than 37 months from the current date.
For more information about the changes to the Google Ads data retention policies, see New Data Retention Policy for Google Ads starting June 1, 2026.
Managed Airflow (Gen 2) environments can no longer be created in Johannesburg (africa-south1). We're switching this region to supporting only Managed Airflow (Gen 3) environments. Existing Managed Airflow (Gen 2) environments in this region aren't affected by this change.
The following remote MCP servers automatically generate a trace span for
tools/call operations. These spans can help you understand the behavior of
your agentic applications. For more information, see
Investigate MCP calls using Trace.
Cluster Toolkit v1.90.0 is available. This release adds an experimental
capability to submit jobs that you can use with the gcluster job command. This
version also adds support for regional AI zones in Slurm by using the
locationPolicy.zones resource. Additionally, this release updates examples for
GKE TPU, exposes outputs for accelerator topology and slice controllers, and
fixes several Slurm issues. For details, see the Release announcement on
GitHub.
Gemini Enterprise: New data stores (Public Preview)
The following data stores are available in Gemini Enterprise:
These data stores are in Public Preview. For more information, see Connect a third-party data source.
Fixed an issue with Audio track extraction (Gemini Embedding 2 only) where the audio_track_extraction feature did not work. For more information, see Issue #504505771.
Agent Platform Gemini 3.1 Flash Image and Gemini 3 Pro Image
Gemini Enterprise Agent Platform Gemini 3.1 Flash Image Preview and Gemini 3 Pro Image Preview are introducing the following changes:
Mobile SDK for iOS version 2.15.3 patch
This patch updates the following for the mobile SDK for iOS:
Google Distributed Cloud (software only) for VMware 1.35.0-gke.525 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.35.0-gke.525 runs on Kubernetes v1.35.2-gke.300.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following features were added in 1.35.0-gke.525:
Platform update to Kubernetes 1.35: This release updates the underlying Kubernetes version to 1.35.
cgroupsv1, the legacy ubuntu, ubuntu_containerd, and cos OSImageType options are no longer supported in this release.cgroupsv2, see the Kubernetes documentation on migrating to cgroupv2.The Ubuntu image has been upgraded to 24.04 on all node types for 1.35.0-gke.525. When you upgrade your control plane and node pools, the nodes are automatically recreated with the new operating system image.
gkectl prints the Operation ID and Operation Type to the console after
cluster operations.
For advanced clusters, the default node pool update policy is changed to parallel
instead of sequential. This applies to all advanced clusters (both new and
existing upon upgrade). To customize or revert this behavior, use the
nodePoolUpdatePolicy and maximumConcurrentNodePoolUpdate fields in the
cluster configuration file.
The default Docker bridge IP for advanced clusters has been changed to 169.
254.123.1/24 instead of 172.17.0/16. This change reduces the likelihood of
conflicts with user-configured networks. If you use the 172.17.0/16 range
for other purposes, cluster creation might fail due to this conflict.
vsphere-csi-controller in advanced clusters is deployed on the user
cluster control plane nodes instead of worker nodes. This architectural
change happens automatically during upgrade and does not impact resource
sizing recommendations.
The following issues were fixed in 1.35.0-gke.525:
cloud.google.com/
gke-nodepool label for workload node pools unexpectedly included an -np
suffix. This caused pods using nodeSelector targeting the original pool
name (such as Apigee workloads) to fail to schedule. For clusters on older
versions experiencing this issue, you can work around it by manually setting
the expected label in the node pool configuration.
stackdriver.enableVPC field to
true in a cluster configuration file would block upgrades to an Advanced
Cluster. The stackdriver.enableVPC field has been deprecated and its
setting will be ignored during the upgrade validation process. For clusters on
older versions experiencing this issue, you can work around it by removing
the field or setting it to false in your configuration file before
upgrading.
/run/containerd/containerd.sock) and unsuccessful cluster upgrades.
gkectl upgrade admin fails on retry with "AlreadyExists" errors in the bootstrap cluster, eliminating the need to manually delete conflicting
resources from the bootstrap cluster before retrying.
Google Distributed Cloud (software only) for bare metal 1.35.0-gke.525 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.35.0-gke.525 runs on Kubernetes v1.35.2-gke.300.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following features were added in 1.35.0-gke.525:
Platform update to Kubernetes 1.35: This release updates the underlying Kubernetes version to 1.35.
cgroupsv1, you must manually configure your operating system to enable cgroupsv2 before upgrading. For instructions, see the Red Hat knowledge base article on enabling cgroup v2.cgroupsv2, see the Kubernetes documentation on migrating to cgroupv2.Added a periodic health check to detect stale secret and ConfigMap mounts on Google Kubernetes Engine pods. To account for normal propagation delays, a content mismatch is only reported as an error if the data remains stale for more than 5 minutes.
Upgraded the Ansible version to 2.18. This version requires Python 3.9 on target nodes. For customers using Red Hat Enterprise Linux, version 8.10 or later is required because the default Python version in earlier Red Hat 8 releases (Python 3.6) is not supported by Ansible 2.18.
You can use the header section of the cluster configuration file to specify registry mirrors for your clusters. This simplifies the management of registry mirrors and provides a more consistent configuration experience. For instructions on how to update or remove these settings, see the Registry Mirror documentation.
Preview Added support for EgressDSCP tagging. With this feature, you can
mark IP headers with specific Differentiated Services Code Point (DSCP)
values on packets leaving the cluster to prioritize network traffic. To use
this feature, you must set preview.baremetal.cluster.gke.io/traffic-selector:
to enable in your cluster configuration and manage traffic selection using
the EgressDSCP and TrafficSelector custom resources. For more information,
see Configure EgressDSCP tagging.
bmctl prints the Operation ID and OperationType to the console after
cluster installation and upgrade operations.
The following issues were fixed in 1.35.0-gke.525:
Terminating state. Because
the Kubernetes Eviction API rejects operations in terminating namespaces, the
cluster controller entered an infinite retry loop. The fix updates the drain
process to skip eviction for pods in terminal phases, allowing the upgrade to
proceed normally.
baremetal.cluster.gke.io/concurrent-machine-update: "true".
kubectl top,
Horizontal Pod Autoscaling, and Vertical Pod Autoscaling could
fail with TLS verification errors during certificate authority rotation. This
occurred because the leaf certificate was not immediately renewed when the
certificate authority was rotated, causing a temporary mismatch between the
trusted certificate authority bundle and the certificate presented by the
metrics server.GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2441000 | cos-117-18613-534-106 | cos-117-18613-534-106 release notes |
| 1.31.14-gke.1850000 | cos-117-18613-534-106 | cos-117-18613-534-106 release notes |
| 1.32.13-gke.1449000 | cos-117-18613-534-106 | cos-117-18613-534-106 release notes |
| 1.33.11-gke.1137000 | cos-121-18867-381-113 | cos-121-18867-381-113 release notes |
| 1.34.7-gke.1321000 | cos-125-19216-220-180 | cos-125-19216-220-180 release notes |
| 1.35.3-gke.1993000 | cos-125-19216-220-180 | cos-125-19216-220-180 release notes |
| 1.36.0-gke.1575000 | cos-125-19216-220-180 | cos-125-19216-220-180 release notes |
A fix is available for an issue that caused incomplete file reads and premature end-of-file (EOF) errors when you used the Cloud Storage FUSE CSI driver on ARM64 nodes that use 64 KiB page sizes, such as A4X and A4X Max instances. This issue occurred because the kernel read-ahead mechanism triggered read requests that exceeded the capacity of the Cloud Storage FUSE layer.
To resolve this issue, upgrade your cluster to one of the following versions:
GKE Pod Snapshots is generally available on clusters that run version 1.35.3-gke.1234000 or later. For more information, see About GKE Pod snapshots.
In GKE Standard clusters, live migration is now supported on Confidential GKE Nodes that use C3D machine series with AMD SEV enabled.
Tenable.io: Version 18.0
Improved the handling of concurrent requests and API rate limits in the following action:
SiemplifyUtilities: Version 30.0
Added support for backticks to the following action:
Azure Active Directory: Version 27.0
Updated enrichment logic to ensure id is fetched when
Include Last Sign In Details is enabled in the following action:
Palo Alto Next Gen Firewall: Version 29.0
For Exadata Database Service on Exascale infrastructure and Base Database Service, Oracle Database@Google Cloud supports the following regions and zones:
asia-south1-b-r1 (Mumbai, India)asia-south2-b-r1 (Delhi, India)For a list of supported locations, see Supported regions and zones.
You can now use CODEOWNERS files to define required reviewers for pull requests.
Organization Policy Service custom constraints are available in General Availability for private services access connections. For more information, see Restrict private connections with organization policies.
]]>Config Connector version 1.149.1 is now available.
New Alpha Resources (Direct Reconciler):
NetworkServicesLBRouteExtension #6957
ParameterManagerParameterVersion #7140
New Features:
resourceSettings in ConfigConnector (global) and ConfigConnectorContext (per-namespace). This lets you to selectively disable reconciliation for specific Group/Kinds to save memory or manage resources differently.Reconciliation Improvements:
Added support for direct reconciliation to more resources, with opt-in behaviour. The API is unchanged. To use the direct reconciler, add the cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object.
Bug Fixes:
The VMware Engine ve2 node type is now available in the following
additional region:
europe-west4-a)Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
AKEYLESS_VAULT)CASSANDRA)ARUBA_WIRELESS)ARUBA_EDGECONNECT_SDWAN)AUTH_ZERO)AWS_AURORA)AWS_EC2_VPCS)AWS_SECURITY_HUB)AZURE_FIREWALL)AZURE_FRONT_DOOR)BARRACUDA_CLOUDGEN_FIREWALL)BLUECOAT_WEBPROXY)CHECKPOINT_FIREWALL)CHECKPOINT_EDR)CHECKPOINT_SMARTDEFENSE)CHRONICLE_SOAR_AUDIT)CISCO_ACI)CISCO_ASA_FIREWALL)CISCO_FIRESIGHT)CISCO_IOS)CISCO_ISE)CISCO_MERAKI)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CISCO_WIRELESS)CITRIX_NETSCALER)CLAROTY_XDOME)CLOUDFLARE_WARP)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)EPIC)F5_ASM)F5_BIGIP_APM)F5_BIGIP_LTM)F5_DCS)FIREEYE_EMPS)FIREEYE_NX)FORTINET_FIREWALL)FORTINET_FORTIEDR)FORTINET_WEBPROXY)GITHUB)GCP_CLOUDAUDIT)GTI_IOC)GUARDICORE_CENTRA)CLEARPASS)HUAWEI_SWITCH)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_SECURESPHERE)INFOBLOX)JUNIPER_FIREWALL)KUBERNETES_NODE)AUDITD)ADMANAGER_PLUS)MCAFEE_EPO)MCAFEE_WEBPROXY)MICROSOFT_DEFENDER_CLOUD_ALERTS)MICROSOFT_DEFENDER_ENDPOINT)MICROSOFT_DEFENDER_IDENTITY)MICROSOFT_GRAPH_ALERT)IIS)MOBILEIRON)GCP_MODEL_ARMOR)MYSQL)NETSKOPE_WEBPROXY)NONAME_API_SECURITY)OFFICE_365)OKTA)OCI_AUDIT)ORACLE_NETSUITE)PAN_FIREWALL)PAN_PANORAMA)PAN_CASB)PAN_PRISMA_CA)PING)POSTFIX_MAIL)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)PROOFPOINT_TRAP)RADWARE_FIREWALL)RAPID7_INSIGHT)SAP_HANA_AUDIT)SECUREAUTH_SSO)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)SENTINEL_DV)SENTINELONE_CF)SILVERFORT)CA_SSO_WEB)SONIC_FIREWALL)SQUID_WEBPROXY)STIX)SURICATA_EVE)SYSDIG)TANIUM_THREAT_RESPONSE)THINKST_CANARY)TRENDMICRO_APEX_ONE)NIX_SYSTEM)VECTRA_XDR)VMWARE_ESX)WALLIX_BASTION)WATCHGUARD)WINDOWS_DEFENDER_AV)WINDOWS_DNS)WINEVTLOG)WINEVTLOG_XML)WIZ_IO)ZSCALER_EMAIL_DLP)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ALTIRIS_LOGS)ARUBA_AP)BLOXONE_DHCP)CHECKMARX_ONE)CISCO_NDO)CROWDSTRIKE_CSPM)F5_F5OS_A)GATEWATCHER_NDR)HASHICORP_TERRAFORM)JAMF_PROTECT_V2)OCI_WAF)QUALYS_FIM)SAILPOINT_IDENTITYNOW)SERVICENOW_CERTIFICATE)SERVICENOW_USER)SERVICENOW_USER_LOGIN_HISTORY)SITEGUARD_SERVER)TOSI_HUB)TRELLIX_NDR)Google SecOps has updated the list of list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
AKEYLESS_VAULT)CASSANDRA)ARUBA_WIRELESS)ARUBA_EDGECONNECT_SDWAN)AUTH_ZERO)AWS_AURORA)AWS_EC2_VPCS)AWS_SECURITY_HUB)AZURE_FIREWALL)AZURE_FRONT_DOOR)BARRACUDA_CLOUDGEN_FIREWALL)BLUECOAT_WEBPROXY)CHECKPOINT_FIREWALL)CHECKPOINT_EDR)CHECKPOINT_SMARTDEFENSE)CHRONICLE_SOAR_AUDIT)CISCO_ACI)CISCO_ASA_FIREWALL)CISCO_FIRESIGHT)CISCO_IOS)CISCO_ISE)CISCO_MERAKI)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CISCO_WIRELESS)CITRIX_NETSCALER)CLAROTY_XDOME)CLOUDFLARE_WARP)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)EPIC)F5_ASM)F5_BIGIP_APM)F5_BIGIP_LTM)F5_DCS)FIREEYE_EMPS)FIREEYE_NX)FORTINET_FIREWALL)FORTINET_FORTIEDR)FORTINET_WEBPROXY)GITHUB)GCP_CLOUDAUDIT)GTI_IOC)GUARDICORE_CENTRA)CLEARPASS)HUAWEI_SWITCH)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_SECURESPHERE)INFOBLOX)JUNIPER_FIREWALL)KUBERNETES_NODE)AUDITD)ADMANAGER_PLUS)MCAFEE_EPO)MCAFEE_WEBPROXY)MICROSOFT_DEFENDER_CLOUD_ALERTS)MICROSOFT_DEFENDER_ENDPOINT)MICROSOFT_DEFENDER_IDENTITY)MICROSOFT_GRAPH_ALERT)IIS)MOBILEIRON)GCP_MODEL_ARMOR)MYSQL)NETSKOPE_WEBPROXY)NONAME_API_SECURITY)OFFICE_365)OKTA)OCI_AUDIT)ORACLE_NETSUITE)PAN_FIREWALL)PAN_PANORAMA)PAN_CASB)PAN_PRISMA_CA)PING)POSTFIX_MAIL)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)PROOFPOINT_TRAP)RADWARE_FIREWALL)RAPID7_INSIGHT)SAP_HANA_AUDIT)SECUREAUTH_SSO)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)SENTINEL_DV)SENTINELONE_CF)SILVERFORT)CA_SSO_WEB)SONIC_FIREWALL)SQUID_WEBPROXY)STIX)SURICATA_EVE)SYSDIG)TANIUM_THREAT_RESPONSE)THINKST_CANARY)TRENDMICRO_APEX_ONE)NIX_SYSTEM)VECTRA_XDR)VMWARE_ESX)WALLIX_BASTION)WATCHGUARD)WINDOWS_DEFENDER_AV)WINDOWS_DNS)WINEVTLOG)WINEVTLOG_XML)WIZ_IO)ZSCALER_EMAIL_DLP)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ALTIRIS_LOGS)ARUBA_AP)BLOXONE_DHCP)CHECKMARX_ONE)CISCO_NDO)CROWDSTRIKE_CSPM)F5_F5OS_A)GATEWATCHER_NDR)HASHICORP_TERRAFORM)JAMF_PROTECT_V2)OCI_WAF)QUALYS_FIM)SAILPOINT_IDENTITYNOW)SERVICENOW_CERTIFICATE)SERVICENOW_USER)SERVICENOW_USER_LOGIN_HISTORY)SITEGUARD_SERVER)TOSI_HUB)TRELLIX_NDR)On May 4, 2026 we released an updated version of the Apigee hybrid software, v1.15.3.
| Bug ID | Description |
|---|---|
| N/A | Security fixes for apigee-asm-ingress. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-asm-istiod. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-connect-agent. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-hybrid-cassandra-client. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-mart-server. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-mint-task-scheduler. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-operators. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-prom-prometheus. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-redis. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-runtime. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-stackdriver-logging-agent. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-synchronizer. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-udca. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-watcher. This addresses the following vulnerabilities: |
You can now create and configure the following organization-level Cloud NGFW resources within a Google Cloud project:
For more information, see Security profile overview, Security profile group overview, and Firewall endpoint overview. This feature is available in Public preview.
Cloud SQL for SQL Server now supports PolyBase (GA).
With PolyBase, your Cloud SQL for SQL Server instance uses Transact-SQL (T-SQL) commands to directly query data stored in external data sources as if the data is stored in local tables. You don't need to install separate client connection software.
For more information, see About PolyBase.
The JetBrains Rider preconfigured base image includes .NET 10.0 and drops .NET 6.0.
The JetBrains RubyMine preconfigured base image
installs Ruby using ruby-build instead of RVM (Ruby Version Manager).
When running a Confidential Space workload with an NVIDIA H100 GPU attached, you might see the following error message:
failed to get launchspec, make sure you're running inside
a GCE VM: GPU Driver installation is not supported.
This is a known issue with the Confidential Space image. To work around the issue, restart the Confidential VM.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
Added the cos_kernel_args tool that allows manipulating kernel command line arguments of a COS image.
Upgraded app-admin/sosreport to v4.11.1.
Upgraded app-shells/dash to v0.5.13.3.
Fixed CVE-2025-21709 in the Linux kernel.
Fixed CVE-2025-22116 in the Linux kernel.
Fixed CVE-2025-39764 in the Linux kernel.
Fixed CVE-2025-40135 in the Linux kernel.
Fixed CVE-2025-68239 in the Linux kernel.
Fixed CVE-2025-71161 in the Linux kernel.
Fixed CVE-2026-23004 in the Linux kernel.
Fixed CVE-2026-23138 in the Linux kernel.
Fixed CVE-2026-23157 in the Linux kernel.
Fixed CVE-2026-23245 in the Linux kernel.
Fixed CVE-2026-23277 in the Linux kernel.
Fixed CVE-2026-23368 in the Linux kernel.
Fixed CVE-2026-23374 in the Linux kernel.
Fixed CVE-2026-23441 in the Linux kernel.
Fixed CVE-2026-23442 in the Linux kernel.
Fixed CVE-2026-31532 in the Linux kernel.
Fixed CVE-2026-31546 in the Linux kernel.
Fixed CVE-2026-31554 in the Linux kernel.
Fixed CVE-2026-31555 in the Linux kernel.
Fixed CVE-2026-31557 in the Linux kernel.
Fixed CVE-2026-31561 in the Linux kernel.
Fixed CVE-2026-31580 in the Linux kernel.
Fixed CVE-2026-31586 in the Linux kernel.
Fixed CVE-2026-31588 in the Linux kernel.
Fixed CVE-2026-31628 in the Linux kernel.
Fixed CVE-2026-31647 in the Linux kernel.
Fixed CVE-2026-31648 in the Linux kernel.
Fixed CVE-2026-31664 in the Linux kernel.
Fixed CVE-2026-31665 in the Linux kernel.
Fixed CVE-2026-31667 in the Linux kernel.
Fixed CVE-2026-31671 in the Linux kernel.
Fixed CVE-2026-31673 in the Linux kernel.
Fixed CVE-2026-31675 in the Linux kernel.
Fixed CVE-2026-31677 in the Linux kernel.
Fixed CVE-2026-31680 in the Linux kernel.
Fixed CVE-2026-31681 in the Linux kernel.
Fixed CVE-2026-31682 in the Linux kernel.
Upgraded dev-libs/openssl to v3.5.6 to fix CVE-2026-28387, CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31790.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.7 | See List |
Fixed CVE-2025-39764 in the Linux kernel.
Fixed CVE-2025-68239 in the Linux kernel.
Fixed CVE-2025-71161 in the Linux kernel.
Fixed CVE-2026-23004 in the Linux kernel.
Fixed CVE-2026-23138 in the Linux kernel.
Fixed CVE-2026-23157 in the Linux kernel.
Fixed CVE-2026-23277 in the Linux kernel.
Fixed CVE-2026-23375 in the Linux kernel.
Fixed CVE-2026-23391 in the Linux kernel.
Fixed CVE-2026-23401 in the Linux kernel.
Fixed CVE-2026-23417 in the Linux kernel.
Fixed CVE-2026-23439 in the Linux kernel.
Fixed CVE-2026-23458 in the Linux kernel.
Fixed CVE-2026-31403 in the Linux kernel.
Fixed CVE-2026-31546 in the Linux kernel.
Fixed CVE-2026-31554 in the Linux kernel.
Fixed CVE-2026-31555 in the Linux kernel.
Fixed CVE-2026-31561 in the Linux kernel.
Fixed CVE-2026-31590 in the Linux kernel.
Fixed CVE-2026-31593 in the Linux kernel.
Fixed CVE-2026-31614 in the Linux kernel.
Fixed CVE-2026-31628 in the Linux kernel.
Fixed CVE-2026-31647 in the Linux kernel.
Fixed CVE-2026-31665 in the Linux kernel.
Fixed CVE-2026-31671 in the Linux kernel.
Fixed CVE-2026-31673 in the Linux kernel.
Fixed CVE-2026-31675 in the Linux kernel.
Fixed CVE-2026-31677 in the Linux kernel.
Fixed CVE-2026-31680 in the Linux kernel.
Fixed CVE-2026-31681 in the Linux kernel.
Fixed CVE-2026-31682 in the Linux kernel.
Fixed CVE-2026-31688 in the Linux kernel.
Upgraded dev-libs/openssl to v3.5.6 to fix CVE-2026-28387, CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31790.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.161 | v24.0.9 | v1.7.27 | See List |
Upgraded app-shells/dash to v0.5.13.3.
Upgraded sys-process/lsof to v4.99.6.
Fixed CVE-2025-37980 in the Linux kernel.
Fixed CVE-2026-23268 in the Linux kernel.
Fixed CVE-2026-23269 in the Linux kernel.
Fixed CVE-2026-23403 in the Linux kernel.
Fixed CVE-2026-23404 in the Linux kernel.
Fixed CVE-2026-23405 in the Linux kernel.
Fixed CVE-2026-23406 in the Linux kernel.
Fixed CVE-2026-23407 in the Linux kernel.
Fixed CVE-2026-23408 in the Linux kernel.
Fixed CVE-2026-23409 in the Linux kernel.
Fixed CVE-2026-23410 in the Linux kernel.
Fixed CVE-2026-31446 in the Linux kernel.
Fixed CVE-2026-31447 in the Linux kernel.
Fixed CVE-2026-31452 in the Linux kernel.
Fixed CVE-2026-31453 in the Linux kernel.
Fixed CVE-2026-31454 in the Linux kernel.
Fixed CVE-2026-31466 in the Linux kernel.
Fixed CVE-2026-31469 in the Linux kernel.
Fixed CVE-2026-31496 in the Linux kernel.
Fixed CVE-2026-31515 in the Linux kernel.
Fixed CVE-2026-31521 in the Linux kernel.
Fixed CVE-2026-31523 in the Linux kernel.
Fixed CVE-2026-31546 in the Linux kernel.
Fixed CVE-2026-31555 in the Linux kernel.
Fixed CVE-2026-31664 in the Linux kernel.
Fixed CVE-2026-31665 in the Linux kernel.
Fixed CVE-2026-31667 in the Linux kernel.
Fixed CVE-2026-31671 in the Linux kernel.
Fixed CVE-2026-31680 in the Linux kernel.
Fixed CVE-2026-31682 in the Linux kernel.
Fixed KCTF-42156f9 in the Linux kernel.
Fixed KCTF-a9b8b18 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.8 | See List |
Upgraded app-admin/sosreport to v4.11.1.
Upgraded app-shells/dash to v0.5.13.3.
Upgraded sys-apps/makedumpfile to v1.7.9.
Fixed CVE-2025-22125 in the Linux kernel.
Fixed CVE-2026-23255 in the Linux kernel.
Fixed CVE-2026-23302 in the Linux kernel.
Fixed CVE-2026-23374 in the Linux kernel.
Fixed CVE-2026-23399 in the Linux kernel.
Fixed CVE-2026-23442 in the Linux kernel.
Fixed CVE-2026-31407 in the Linux kernel.
Fixed CVE-2026-31429 in the Linux kernel.
Fixed CVE-2026-31555 in the Linux kernel.
Fixed CVE-2026-31628 in the Linux kernel.
Fixed CVE-2026-31648 in the Linux kernel.
Fixed CVE-2026-31664 in the Linux kernel.
Fixed CVE-2026-31665 in the Linux kernel.
Fixed CVE-2026-31671 in the Linux kernel.
Fixed CVE-2026-31673 in the Linux kernel.
Fixed CVE-2026-31675 in the Linux kernel.
Fixed CVE-2026-31680 in the Linux kernel.
Fixed CVE-2026-31681 in the Linux kernel.
Fixed CVE-2026-31682 in the Linux kernel.
Fixed CVE-2026-31688 in the Linux kernel.
Upgraded openssl to v3.0.20 to fix CVE-2026-28387, CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31790.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Upgraded app-shells/dash to v0.5.13.3.
Upgraded sys-apps/makedumpfile to v1.7.9.
Fixed CVE-2025-22125 in the Linux kernel.
Fixed CVE-2026-23255 in the Linux kernel.
Fixed CVE-2026-23302 in the Linux kernel.
Fixed CVE-2026-23374 in the Linux kernel.
Fixed CVE-2026-23399 in the Linux kernel.
Fixed CVE-2026-31407 in the Linux kernel.
Fixed CVE-2026-31429 in the Linux kernel.
Fixed CVE-2026-31546 in the Linux kernel.
Fixed CVE-2026-31555 in the Linux kernel.
Fixed CVE-2026-31628 in the Linux kernel.
Fixed CVE-2026-31648 in the Linux kernel.
Fixed CVE-2026-31664 in the Linux kernel.
Fixed CVE-2026-31665 in the Linux kernel.
Fixed CVE-2026-31667 in the Linux kernel.
Fixed CVE-2026-31671 in the Linux kernel.
Fixed CVE-2026-31673 in the Linux kernel.
Fixed CVE-2026-31680 in the Linux kernel.
Fixed CVE-2026-31681 in the Linux kernel.
Fixed CVE-2026-31682 in the Linux kernel.
Fixed CVE-2026-31688 in the Linux kernel.
Upgraded openssl to v3.0.20 to fix CVE-2026-28387, CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31790.
Google Cloud CCaaS 4.26
We've released version 4.26 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Fewest Agents Routing
Fewest Agents Routing has been added to chat Deltacast configuration. Fewest Agents Routing keeps busy agents engaged while preserving idle agents for future workload spikes.
Administrators:
The following new settings are available at Settings > Operation Management > Routing > Chat Routing > Deltacast Routing Logic:
Longest Idle Routing to distribute workload equally between agents. This is the same as the previous default routing behavior.
Fewest Agents Routing to maximize utilization and call availability. This is the new routing behavior that concentrates new chats on busy agents.
For more information, see Deltacast routing logic for chat.
Skip account or record creation for HubSpot
You can configure your instance to prevent the automatic creation of accounts and records in HubSpot while ensuring that data such as media files and transcripts is preserved. You can configure how the system handles closed records when a record ID is passed using the SDK.
Administrators:
The following new settings are available at Settings > Operation Management > CRM Record Creation Details:
Skip CRM account creation
Skip CRM account lookup
Skip CRM record creation
Closed record options when record ID is passed in via SDK
Create new record
Reopen record
For more information, see Configure HubSpot record creation.
Improved Agent Assist visibility during transfers
When a chat is transferred, the originating agent and the receiving agent see Agent Assist as it's configured for their respective teams or queues. This behavior now also applies to transfers of direct inbound calls.
For more information, see Configure Agent Assist at the team level.
Breakthrough for wrap-up improvements
If breakthrough is configured for Wrap-up and Wrap-up Exceeded statuses,
agents can now answer breakthrough calls even if they haven't completed the
following:
Submitted disposition codes and notes.
Manually switched to Available status.
Additionally, agents in Wrap-up status who accept breakthrough calls before
submitting disposition codes and notes can now switch between the call and the
wrap-up screen.
User experience changes include the following:
The call adapter contains a switcher button that lets agents switch between an ongoing call and the wrap-up screen for a previous call.
The mini-adapter on the agent desktop expands to let you switch between an ongoing call and the wrap-up screen for a previous call.
For more information, see Breakthrough for wrap-up.
Custom field mapping for HubSpot
You can map your web or mobile SDK custom data fields to your HubSpot installation's custom fields. At runtime, when the SDK sends a custom data value, the system writes the value to the mapped HubSpot custom field.
Administrators: On the Settings > Operation Management page, there's a new Custom Field Mapping pane.
For more information, see HubSpot custom field mapping.
Call scheduling improvements
We've made the following improvements to call scheduling for web SDK v3 and the headless web SDK:
Configurable time slots. You can configure the length of call-scheduling time slots.
Day-based time slot selection. End-users can browse available time slots organized by day.
Rescheduling. If an end-user reopens the web SDK and has an existing scheduled call, they're prompted to manage that appointment (reschedule or cancel) before starting a new flow.
Cancellation. End-users can cancel a previously scheduled call.
Queue-level configuration. You can configure call scheduling at the queue level.
Administrators:
There's a new Scheduled Calls pane on the Settings > Calls page.
There's a new Scheduled Calls section in the Settings >
Queue > Web > SELECT_QUEUE
pane.
We moved Scheduled Call Countdown and Scheduled Call Expiration from Settings > Calls > Call Details to Settings > Calls > Scheduled Calls.
We've added the following settings to the Settings > Calls > Scheduled Calls pane:
Consumers can schedule calls up to
SELECT_INTEGER day(s) in the future
Static > Maximum calls per time slot
User experience changes:
SELECT_INTEGER day(s) in the future, a new
Select a day screen appears to end-users who reschedule a call.For more information, see Scheduled calls.
Headless web SDK updates
We've made the following updates to the headless web SDK:
New methods:
fetchTimeSlotAvailability. Check if time slots are available for a given menu.
restoreCobrowseSession. Restores a cobrowse session after the browser window is reopened.
getLogs. Gets the internal debug logs collected by the SDK.
Updated signatures:
getTimeSlots. Includes the GetTimeSlotsRequest interface.
updatePostSession. Includes an optInSelection parameter.
For more information, see getTimeSlots.
Accessibility and design improvements
We've made the following accessibility and design improvements to the web SDK v3 and the headless web SDK:
WCAG Compliance. Updated to comply with Web Content Accessibility Guidelines (WCAG).
Right-to-left support. Now supports right-to-left languages: Arabic, Hebrew, Farsi, and Urdu.
Improved screen reader compatibility. Improved support for screen readers.
Improved spacing. Uses 4px-based spacing to improve the look and feel of page displays.
This release addresses the following issues:
Fixed an issue where the Telnyx integration attempted to reconnect websockets after a failure, even when this behavior was not desired.
Fixed an issue where Agent Assist disappeared for the third agent during consecutive queue transfers.
Fixed an issue where empty responses from Dialogflow were passed through to CCAI Platform, resulting in undefined call behavior.
Fixed an issue where active outbound campaigns stopped dialing when a concurrent campaign encountered timezone restrictions, requiring manual intervention to resume calls.
Fixed an issue where campaigns didn't resume after being paused, resulting in call session failures and missing participant information.
Fixed an issue where chat transfers involving multiple agents failed, causing agents to become stuck in an "in chat" status even when no active chats were present.
Fixed an issue where incoming chats were routed to newly signed-in agents instead of agents who had been available the longest.
Fixed an issue where chat messages sent by end-users immediately after starting a chat, but before an agent joined, weren't delivered to the agent.
Fixed an issue where the recording_url field in session data wasn't
populated after calls ended.
Fixed an issue where call transfers were incorrectly tagged as Warm instead of Cold when the transferring agent disconnected before the receiving agent answered.
Fixed an issue where call recordings for sessions ending with a virtual agent post-call survey were truncated. This resulted in the main human agent conversation not being saved.
Fixed an issue where outbound call restrictions incorrectly blocked calls
to Japanese numbers, even when settings allowed them.
Fixed an issue where agents could become stuck in Wrap-up status after a call was transferred to another agent's voicemail and the end user disconnected during the voicemail greeting.
Fixed an issue where, in third-party transfer calls with Call recording for third-party transfers set to off, redaction didn't begin immediately after the agent disconnected.
Fixed an issue where calls didn't connect and re-queued, resulting in long queue times for agents.
Fixed an issue where disposition lists in the call adapter didn't appear in alphabetical order, as configured in the portal.
Fixed an issue where chats in the agent desktop didn't transition to the End Wrap-Up state after the agent clicked Submit.
Fixed an issue where the apps/api/v1/users API returned only 100 records
per page, even when a higher limit was specified.
Fixed an issue where filtering by queue name on the Queued Chats and Queued Calls pages didn't return accurate results.
Fixed an issue where updating an agent's skills from the Agents page mistakenly removed their extension number.
Fixed an issue where users of the Dialer Admin role couldn't add teams to a queue.
Fixed an issue where call wrap-up interactions recorded inaccurate data, such as excessive wrap-up times, redundant instances, and incorrect chronological sequencing.
Fixed an issue that occurred when an agent with Agent Assist transferred a call to a second agent with Agent Assist. After the transfer, the second agent no longer had access to Agent Assist.
Fixed an issue with Salesforce integrations in the agent desktop where notification flags overlapped the Salesforce Utility Bar navigation, which prevented agents from accessing navigation controls.
Fixed an issue where agents were incorrectly reported as Available for an
extended period after signing out.
Fixed an issue where calls waiting in a queue with no available agents weren't connected when an agent became available.
Fixed an issue where the previous CCAI Insights name appeared in the portal instead of Customer Experience Insights.
Fixed an issue for Alvaria users where the Agent Performance Report was mistakenly generated and sent at 7:00 PM instead of midnight, which resulted in incomplete 24-hour performance data.
Fixed an issue where agents who left a predictive campaign pool were
incorrectly left in Available status.
Fixed an issue where chat sessions returned an error during post-session transfer if no virtual agent participant was active.
Fixed an issue where, after a call failure, the agent adapter displayed a generic error message instead of an error message that included the failure reason.
Fixed an issue for Telnyx users where the instance stopped responding.
Fixed an issue that occurred when users tried to delete a queue. A message was returned saying that the queue was assigned as a deflection or redirection option even though these settings weren't activated for the queue.
Fixed an issue where adding multiple voice queues resulted in long loading times, request timeouts, and incorrect concurrency errors.
Fixed an issue where overcapacity deflection options messages mistakenly played twice instead of once.
Fixed an issue where chats escalated by a virtual agent disconnected seconds after assignment to a human agent, which prevented the human agent and the end-user from interacting.
Fixed an issue where spurious chat interactions appeared in the All Interactions dashboard, which caused discrepancies in handled chat reporting and incorrect failed session filtering.
Fixed a web SDK v3 issue where the out-of-office deflection message that appeared in the end-user's chat window didn't match the message in the chat transcript.
Fixed an issue where agents received incorrect Missed target response time notifications in agent desktop SMS chats, even when responding promptly.
Fixed an issue where agents attempting to access their contact center using private ingress couldn't connect.
Fixed an issue where the Allow transfers to queues outside of hours of operation checkbox was unexpectedly unavailable.
Fixed an issue where verified outbound phone numbers couldn't be added to a queue because the selection field was empty, which prevented administrators from assigning new phone numbers.
Fixed an issue where attempts to rename IVR queues using redirection data in legacy YAML files resulted in errors.
You can now enable zonal affinity for your Network Security Integration in-band integration deployments and configure zonal interception with regional backends. For more information, see Zonal affinity.
Spanner vector index and approximate nearest neighbor (ANN) distance functions are generally available (GA) for PostgreSQL databases.
]]>Enhanced "Time to respond" options for multi-choice questions
Google SecOps now provides more granular control over playbook execution when the "time to respond" for a MultiChoiceQuestion step is exceeded. When configuring a multi-choice question, you can now choose to proceed with one of the predefined answer branches or to create a dedicated branch to handle this scenario.
For more information, see Add a multi-choice question flow.
Release 6.3.84 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
Enhanced "Time to respond" options for multi-choice questions
Google SecOps now provides more granular control over playbook execution when the "time to respond" for a MultiChoiceQuestion step is exceeded. When configuring a multi-choice question, you can now choose to proceed with one of the predefined answer branches or to create a dedicated branch to handle this scenario.
For more information, see Add a multi-choice question flow.
]]>Release 6.3.83 is now available for all regions.
]]>Google Cloud Observability has expanded the supported locations for observability buckets, which store your trace data, to include the following:
For a list of supported locations, see Locations for observability buckets.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
Added support for the R595 Nvidia driver production branch.
Made it so that /etc/machine-id is mounted with noexec, nosuid, and nodev.
Enabled CONFIG_SCHED_CLASS_EXT and CONFIG_EXT_GROUP_SCHED.
Added support for NVIDIA drivers v580.126.16 and v580.126.20.
Fixed KCTF-42156f9 in the Linux kernel.
Fixed an ext4/jbd2 performance regression on CPU Node.
Optimized IOMMU reference counting using atomic64_inc_return().
Serialized sequence allocation to prevent timeouts during concurrent TLB invalidations.
Upgraded sys-apps/makedumpfile to v1.7.9.
Fixed CVE-2026-23276 in the Linux kernel.
Fixed CVE-2026-23375 in the Linux kernel.
Fixed CVE-2026-23391 in the Linux kernel.
Fixed CVE-2026-23397 in the Linux kernel.
Fixed CVE-2026-23398 in the Linux kernel.
Fixed CVE-2026-23399 in the Linux kernel.
Fixed CVE-2026-23401 in the Linux kernel.
Fixed CVE-2026-23412 in the Linux kernel.
Fixed CVE-2026-23413 in the Linux kernel.
Fixed CVE-2026-23414 in the Linux kernel.
Fixed CVE-2026-23417 in the Linux kernel.
Fixed CVE-2026-23439 in the Linux kernel.
Fixed CVE-2026-23449 in the Linux kernel.
Fixed CVE-2026-23452 in the Linux kernel.
Fixed CVE-2026-23455 in the Linux kernel.
Fixed CVE-2026-23456 in the Linux kernel.
Fixed CVE-2026-23457 in the Linux kernel.
Fixed CVE-2026-23465 in the Linux kernel.
Fixed CVE-2026-23471 in the Linux kernel.
Fixed CVE-2026-31392 in the Linux kernel.
Fixed CVE-2026-31400 in the Linux kernel.
Fixed CVE-2026-31402 in the Linux kernel.
Fixed CVE-2026-31403 in the Linux kernel.
Fixed CVE-2026-31406 in the Linux kernel.
Fixed CVE-2026-31407 in the Linux kernel.
Fixed CVE-2026-31413 in the Linux kernel.
Fixed CVE-2026-31414 in the Linux kernel.
Fixed CVE-2026-31415 in the Linux kernel.
Fixed CVE-2026-31416 in the Linux kernel.
Fixed CVE-2026-31418 in the Linux kernel.
Fixed CVE-2026-31421 in the Linux kernel.
Fixed CVE-2026-31423 in the Linux kernel.
Fixed CVE-2026-31424 in the Linux kernel.
Fixed CVE-2026-31426 in the Linux kernel.
Fixed CVE-2026-31427 in the Linux kernel.
Fixed CVE-2026-31428 in the Linux kernel.
Fixed CVE-2026-31431 (copy.fail) in the Linux kernel.
Fixed CVE-2026-31434 in the Linux kernel.
Fixed CVE-2026-31438 in the Linux kernel.
Fixed CVE-2026-31446 in the Linux kernel.
Fixed CVE-2026-31447 in the Linux kernel.
Fixed CVE-2026-31448 in the Linux kernel.
Fixed CVE-2026-31449 in the Linux kernel.
Fixed CVE-2026-31450 in the Linux kernel.
Fixed CVE-2026-31451 in the Linux kernel.
Fixed CVE-2026-31452 in the Linux kernel.
Fixed CVE-2026-31453 in the Linux kernel.
Fixed CVE-2026-31454 in the Linux kernel.
Fixed CVE-2026-31455 in the Linux kernel.
Fixed CVE-2026-31466 in the Linux kernel.
Fixed CVE-2026-31469 in the Linux kernel.
Fixed CVE-2026-31495 in the Linux kernel.
Fixed CVE-2026-31496 in the Linux kernel.
Fixed CVE-2026-31515 in the Linux kernel.
Fixed CVE-2026-31516 in the Linux kernel.
Fixed CVE-2026-31519 in the Linux kernel.
Fixed CVE-2026-31521 in the Linux kernel.
Fixed CVE-2026-31523 in the Linux kernel.
Fixed CVE-2026-31525 in the Linux kernel.
Fixed CVE-2026-31528 in the Linux kernel.
Fixed CVE-2026-31531 in the Linux kernel.
Fixed CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-27140, CVE-2026-27144 in dev-lang/go.
Fixed CVE-2026-34743 in app-arch/xz-utils.
Fixed CVE-2026-4046 in sys-libs/glibc.
Fixed KCTF-42156f9 in the Linux kernel.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.7 | See List |
Made it so that /etc/machine-id is mounted with noexec, nosuid, and nodev.
Fixed an ext4/jbd2 performance regression on CPU Node.
Optimized IOMMU reference counting using atomic64_inc_return().
Serialized sequence allocation to prevent timeouts during concurrent TLB invalidations.
Fixed CVE-2026-31431 (copy.fail) in the Linux kernel.
Fixed CVE-2026-31664 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.8 | See List |
Optimized IOMMU reference counting using atomic64_inc_return().
Serialized sequence allocation to prevent timeouts during concurrent TLB invalidations.
Fixed CVE-2026-31431 (copy.fail) in the Linux kernel.
Fixed CVE-2026-31454 in the Linux kernel.
Fixed CVE-2026-31546 in the Linux kernel.
Fixed CVE-2026-31667 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Optimized IOMMU reference counting using atomic64_inc_return().
Serialized sequence allocation to prevent timeouts during concurrent TLB invalidations.
Fixed CVE-2026-31431 (copy.fail) in the Linux kernel.
Kubernetes 1.36 is now available in the Rapid channel. For more information about the content of Kubernetes 1.36, see Kubernetes 1.36 release notes, and Kubernetes 1.36 Release Blog.
reCAPTCHA Mobile SDK v18.9.0 is available for iOS. This version includes the following:
Reliability improvements and bug fixes.
Score distribution calibration and improvements for better bot detection. We recommend that you review your score threshold and adjust it if you experience a high number of false positives.
Beta support for visionOS.
Beta support for arm64e and Enhanced Security Features.
Starting May 7, 2026, new transfer configurations that transfer data from Google Ads using the BigQuery Data Transfer Service will require Multi-factor authentication (MFA) for individual user authentication. For more information, see May 7, 2026.
You can use Bigtable agent skills to let AI agents assist with Bigtable-related tasks, such as schema design, generating SQL queries, and infrastructure management.
Support for Model Context Protocol (MCP) servers and tools is deprecated. As of the July 30, 2026 shutdown date, you can no longer retrieve, list, enable, and disable MCP servers and tools using the Cloud API Registry API. For more information, see Feature deprecations.
Google Kubernetes Engine (GKE) Gateway supports Cloud CDN to help you cache content closer to your users, improve application latency, and reduce origin load. Using GKE Gateway APIs, you can configure, manage, and fine-tune caching configurations for different segments of your traffic. This feature is Generally Available.
For more information, see Configure Cloud CDN for Gateway.
Database Migration Service for heterogeneous migrations to Cloud SQL for PostgreSQL and AlloyDB for PostgreSQL now supports PostgreSQL version 18. For more information, see Supported source and destination databases.
Managed traffic classification for Cloud Interconnect is available in Preview.
This feature automates the assignment of differentiated services field codepoint (DSCP) bits in your outgoing packets. For more information, see Configure managed traffic classification.
Backend Cloud Storage buckets are available for regional external Application Load Balancers and regional internal Application Load Balancers.
For more information, see:
This feature is in General availability.
Cloud SQL has made the following enhancements to expand the list of eligible Cloud SQL Enterprise Plus edition instances that support planned operations with near-zero downtime.
Cloud SQL has made the following enhancements to expand the list of eligible Cloud SQL Enterprise Plus edition instances that support planned operations with near-zero downtime.
If a specific active query is blocked or running much longer than expected, it can block other dependent queries. Cloud SQL for SQL Server offers an optional feature that lets you view and terminate blocking queries.
For more information, see Blocked active queries (Preview).
Cluster Toolkit v1.89.0 is available. This release lets you configure virtual machines (VMs) dynamically for Slurm and manage secondary NICs by using the Networking Dynamic Resource Allocation (DRA) driver. This release also updates the GKE A3 Mega blueprint to align with integration tests and ensure stability. This version also adds support to use Fractional G4 GPU instances in Slurm. For details, see the Release announcement on GitHub.
Cortex Framework version 7 introduces a highly modular deployment architecture, simplified data orchestration via Dataform, and enhanced support for the next generation of AI-ready data products with BigQuery - enabling enterprises to build, extend, and deploy robust data models and pipelines for advanced analytics and AI/agentic use cases. To request access to the GitHub repository, see Request access.
Key architecture features
Data product accelerators
BigQuery based data product accelerators for SAP ERP (SAP ECC and S/4HANA), purpose-built for AI-readiness with agent-friendly metadata included for all data model and field-level descriptions.
Solution samples for SAP ERP or SAP BDC
Solution reference architectures and code snippets for demonstrating how to build use cases on top of Cortex Framework data products to address particular business needs.
Gemini Enterprise: Access to Gemini 3.1 Pro and 3 Flash in Limited Availability
Gemini Enterprise users now have access to 3.1 Pro and 3 Flash in Limited Availability. This means that Gemini Enterprise app users will get the generally available Service Level Objectives (SLOs) for these models as part of the Gemini Enterprise Service while the models are in Preview. We are currently monitoring the model's performance and determining the appropriate, long-term (SLOs) and plan to offer these SLOs soon. Additionally, we currently support standard Data Location (Data Residency or "DRZ") commitments in US/EU/global multi-regions.
For more information, see: Using Gemini 3.1 Pro and 3 Flash in Limited Availability.
VPC Service Controls for Google SecOps general availability
VPC Service Controls is now GA. This feature helps to create perimeters and protect resources and services data from accidental or targeted action by external or insider entities. This in turn can minimize unwarranted data exfiltration risks from Google Cloud services. For more information, see Configure VPC Service Controls for Google SecOps and Overview of VPC Service Controls.
Generally Available: The Resource Manager remote MCP server is now generally available. The remote MCP server lets AI agents dynamically search for and identify all Google Cloud projects that you have the necessary permissions to access. This ensures that agents have the correct identifiers (such as project ID, project number, and lifecycle state) before attempting more specific resource configurations.
For more information, see Use the Resource Manager remote MCP server.
BigQuery Connector for SAP version 2.13
Version 2.13 of the BigQuery Connector for SAP is generally available (GA). This version resolves an issue where data replication for partitioned tables failed when the table schema caching feature was enabled.
For more information, see What's new with BigQuery Connector for SAP.
VPC Service Controls feature: Support for using IAM roles in ingress and egress rules to allow access to resources protected by a service perimeter is generally available. This feature includes the following updates:
You can use the gcloud access-context-manager supported-permissions describe
command to check the support status of an IAM role.
You can use the gcloud access-context-manager supported-permissions list
command to retrieve the complete list of all supported permissions.
For more information, see Configure IAM roles in ingress and egress rules.
]]>On April 29th, 2026, we began maintenance updates of Apigee instances configured for maintenance windows.
If you set a preferred window for maintenance for your instance, and your instance version is below 1-17-0-apigee-4, your instance will be updated to 1-17-0-apigee-4 within the next seven to 21 days. A notification containing the expected date of upgrade will be sent within the next two business days.
For more information on participating in scheduled maintenance windows, see Maintenance overview and Manage Apigee instance maintenance windows.
Use the following Google-provided application templates in Preview:
Strict act-as mode is enforced globally for all Dataform repositories, requiring the use of a custom service account or user credentials for running Dataform workflows, BigQuery pipelines, notebooks, and data preparations.
You can now use the
VECTOR_INDEX.STATISTICS function to calculate how much an indexed table's data has drifted between when a
vector index was created and the present. If table data has changed enough
to require a vector index rebuild, you can use the
ALTER VECTOR INDEX REBUILD statement
to rebuild the vector index without downtime. These features are
generally available
(GA).
You can now use the PARTITION BY clause of the
CREATE VECTOR INDEX statement
to partition TreeAH vector indexes.
Partitioning enables partition pruning and can decrease I/O costs. This feature
is Generally Available.
You can manage object contexts in the Google Cloud Console. To learn more, see Use object contexts.
Preview: In an autoscaled managed instance group (MIG), you can monitor individual autoscaling events and view details to understand the reasons behind each autoscaling decision. For more information, see Monitor autoscaling events.
A Confidential Space image (260400) is available. Support for Confidential Space on H100 GPU (a3-highgpu-1g machine family) is generally available.
You can use custom constraints with Organization Policy to provide more
granular control over specific fields for the Folder and TeamFolder
resources. For more information, see
Create custom organization policy constraints.
This feature is
generally available
(GA).
Strict act-as mode is enforced globally for all Dataform repositories, requiring the use of a custom service account or user credentials for running Dataform workflows, BigQuery pipelines, notebooks, and data preparations.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.31.14-gke.1823000 | cos-117-18613-534-80 | cos-117-18613-534-80 release notes |
| 1.36.0-gke.1379000 | cos-125-19216-220-130 | cos-125-19216-220-130 release notes |
In GKE versions earlier than 1.34.6-gke.1154000 and
1.35.2-gke.1691000, mounting Cloud Storage buckets by using the
Cloud Storage FUSE CSI driver
can experience significant delays. This issue typically manifests as a
CreateContainer error that states the following message:
failed to reserve container name. This error is self-healing and resolves
automatically after the underlying mount operation completes and the container
runtime releases the reservation.
The delay is caused by an inefficient bucket access check performed by the
CSI driver sidecar by using the ListObjects API method, which can take
several hours to complete on buckets that contain millions of empty folders.
The error occurs because the kubelet enforces a strict two-minute timeout
for the container creation request. If the FUSE mount process exceeds this
time limit while the sidecar is performing the initial bucket access check,
then the kubelet cancels the operation and retries. However, the container
runtime remains blocked on the first attempt and retains the reservation for
the container name.
The new GKE releases fix this issue by replacing the
ListObjects check with the GetStorageLayout API method, which performs
the same validation but returns almost instantly in most cases.
To resolve this issue, upgrade your cluster to one of the following versions:
For GKE version 1.33 clusters running version 1.33.5-gke.2435000
or later, you can mitigate this issue by setting the
skipCSIBucketAccessCheck: "true" volume attribute to bypass the check.
There is no supported fix for this issue in cluster versions 1.33.5-gke.2435000 and earlier.
UrlScan.io: Version 30.0
Added is_risky handling to the following action:
Siemplify: Version 107.0
Microsoft Graph Mail: Version 41.0
Updated MSG attachments processing logic in the following connector:
Zerofox: Version 4.0
MISP: Version 39.0
Updated tag retrieval logic in the following actions:
Add Tag to an Attribute
Add Tag to an Event
Remove Tag from an Attribute
Remove Tag from an Event
Anomali ThreatStream: Version 16.0
Added is_risky handling to the following action:
Microsoft Graph Mail Delegated: Version 18.0
Updated MSG attachments processing logic in the following connector:
Palo Alto Cortex XDR: Version 28.0
Added the ability to ignore specific artifact types to the following connector:
Source code is now publicly available on GitHub for the following integrations:
Cisco Orbital: Version 9.0
F5 Big IQ: Version 8.0
FireEye EX: Version 14.0
HCL BigFix Inventory: Version 6.0
Illusive Networks: Version 8.0
Lastline: Version 10.0
McAfee ATD: Version 18.0
McAfee Active Response: Version 10.0
ObserveIT: Version 6.0
Outpost24: Version 9.0
Site24x7: Version 7.0
Splash: Version 8.0
Websense: Version 15.0
Google Cloud's Agent for SAP version 3.13
Version 3.13 of Google Cloud's Agent for SAP is generally available (GA). This version introduces minor bug fixes, enhancements for disk snapshot based recovery for SAP HANA, and security enhancements.
For more information, see What's new with Google Cloud's Agent for SAP.
]]>When the initial user or password is unspecified during cluster creation, a locked postgres role with null password is created.
You can now create materialized views over active change data capture (CDC) enabled tables. This feature is generally available (GA).
The following resource types are publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, SearchAllResources, and SearchAllIamPolicies APIs.
saasservicemgmt.googleapis.com/Saassaasservicemgmt.googleapis.com/Tenantsaasservicemgmt.googleapis.com/UnitKindsaasservicemgmt.googleapis.com/Unitsaasservicemgmt.googleapis.com/Releasebackupdr.googleapis.com/BackupPlanRevisionparallelstore.googleapis.com/Instanceaiplatform.googleapis.com/DeploymentResourcePoolManaged Airflow (Gen 3) environments with Airflow 3 support access with external identities through workforce identity federation starting from version composer-3-airflow-3.1.7-build.7.
The default version of Airflow is changed to 2.11.1.
Fixed an issue where DAGs were imported from snapshots even when the "Skip copying Cloud Storage data" option was selected.
The GOOGLE_CLOUD_PROJECT environment variable is now set on schedulers and
triggerers. It's no longer required to set the project ID explicitly when
configuring the Secret Manager backend.
New Airflow builds are available in Managed Airflow (Gen 3):
New images are available in Managed Airflow (Gen 2):
Airflow 2.9.3 is no longer included in Managed Airflow images and builds.
The following Managed Airflow versions and builds have reached their end of support period:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.7 | See List |
Added support for the R595 Nvidia driver production branch.
Added support for NVIDIA drivers v580.126.16 and v580.126.20.
Fixed KCTF-42156f9 in the Linux kernel.
Upgraded app-admin/sosreport to v4.11.1.
Upgraded app-shells/dash to v0.5.13.3.
Upgraded sys-apps/makedumpfile to v1.7.9.
Fixed CVE-2025-22116 in the Linux kernel.
Fixed CVE-2025-40135 in the Linux kernel.
Fixed CVE-2025-70873 in dev-db/sqlite.
Fixed CVE-2026-23245 in the Linux kernel.
Fixed CVE-2026-23255 in the Linux kernel.
Fixed CVE-2026-23276 in the Linux kernel.
Fixed CVE-2026-23302 in the Linux kernel.
Fixed CVE-2026-23368 in the Linux kernel.
Fixed CVE-2026-23374 in the Linux kernel.
Fixed CVE-2026-23397 in the Linux kernel.
Fixed CVE-2026-23398 in the Linux kernel.
Fixed CVE-2026-23399 in the Linux kernel.
Fixed CVE-2026-23412 in the Linux kernel.
Fixed CVE-2026-23413 in the Linux kernel.
Fixed CVE-2026-23441 in the Linux kernel.
Fixed CVE-2026-23442 in the Linux kernel.
Fixed CVE-2026-23449 in the Linux kernel.
Fixed CVE-2026-23452 in the Linux kernel.
Fixed CVE-2026-23455 in the Linux kernel.
Fixed CVE-2026-23456 in the Linux kernel.
Fixed CVE-2026-23457 in the Linux kernel.
Fixed CVE-2026-23465 in the Linux kernel.
Fixed CVE-2026-23471 in the Linux kernel.
Fixed CVE-2026-31392 in the Linux kernel.
Fixed CVE-2026-31400 in the Linux kernel.
Fixed CVE-2026-31402 in the Linux kernel.
Fixed CVE-2026-31406 in the Linux kernel.
Fixed CVE-2026-31407 in the Linux kernel.
Fixed CVE-2026-31414 in the Linux kernel.
Fixed CVE-2026-31415 in the Linux kernel.
Fixed CVE-2026-31416 in the Linux kernel.
Fixed CVE-2026-31418 in the Linux kernel.
Fixed CVE-2026-31421 in the Linux kernel.
Fixed CVE-2026-31423 in the Linux kernel.
Fixed CVE-2026-31424 in the Linux kernel.
Fixed CVE-2026-31426 in the Linux kernel.
Fixed CVE-2026-31427 in the Linux kernel.
Fixed CVE-2026-31428 in the Linux kernel.
Fixed CVE-2026-31434 in the Linux kernel.
Fixed CVE-2026-31438 in the Linux kernel.
Fixed CVE-2026-31446 in the Linux kernel.
Fixed CVE-2026-31447 in the Linux kernel.
Fixed CVE-2026-31448 in the Linux kernel.
Fixed CVE-2026-31449 in the Linux kernel.
Fixed CVE-2026-31450 in the Linux kernel.
Fixed CVE-2026-31451 in the Linux kernel.
Fixed CVE-2026-31452 in the Linux kernel.
Fixed CVE-2026-31453 in the Linux kernel.
Fixed CVE-2026-31454 in the Linux kernel.
Fixed CVE-2026-31455 in the Linux kernel.
Fixed CVE-2026-31466 in the Linux kernel.
Fixed CVE-2026-31469 in the Linux kernel.
Fixed CVE-2026-31495 in the Linux kernel.
Fixed CVE-2026-31496 in the Linux kernel.
Fixed CVE-2026-31515 in the Linux kernel.
Fixed CVE-2026-31516 in the Linux kernel.
Fixed CVE-2026-31519 in the Linux kernel.
Fixed CVE-2026-31521 in the Linux kernel.
Fixed CVE-2026-31523 in the Linux kernel.
Fixed CVE-2026-31525 in the Linux kernel.
Fixed CVE-2026-31528 in the Linux kernel.
Fixed CVE-2026-31531 in the Linux kernel.
Fixed CVE-2026-31557 in the Linux kernel.
Fixed CVE-2026-31648 in the Linux kernel.
Fixed CVE-2026-31667 in the Linux kernel.
Fixed CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-27140, CVE-2026-27144 in dev-lang/go.
Fixed CVE-2026-34743 in app-arch/xz-utils.
Fixed CVE-2026-4046 in sys-libs/glibc.
Fixed KCTF-42156f9 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.8 | See List |
Added support for NVIDIA drivers v580.126.16 and v580.126.20.
Fixed CVE-2025-70873 in dev-db/sqlite.
Fixed CVE-2026-31430 in the Linux kernel.
Fixed CVE-2026-31446 in the Linux kernel.
Fixed CVE-2026-31447 in the Linux kernel.
Fixed CVE-2026-31450 in the Linux kernel.
Fixed CVE-2026-31451 in the Linux kernel.
Fixed CVE-2026-31452 in the Linux kernel.
Fixed CVE-2026-31453 in the Linux kernel.
Fixed CVE-2026-31455 in the Linux kernel.
Fixed CVE-2026-31466 in the Linux kernel.
Fixed CVE-2026-31469 in the Linux kernel.
Fixed CVE-2026-31495 in the Linux kernel.
Fixed CVE-2026-31496 in the Linux kernel.
Fixed CVE-2026-31515 in the Linux kernel.
Fixed CVE-2026-31521 in the Linux kernel.
Fixed CVE-2026-31523 in the Linux kernel.
Fixed CVE-2026-31525 in the Linux kernel.
Fixed CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-27140, CVE-2026-27144 in dev-lang/go.
Fixed CVE-2026-34743 in app-arch/xz-utils.
Fixed KCTF-42156f9 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Added support for NVIDIA drivers v580.126.16 and v580.126.20.
Fixed CVE-2025-70873 in dev-db/sqlite.
Fixed CVE-2026-31430 in the Linux kernel.
Fixed CVE-2026-31446 in the Linux kernel.
Fixed CVE-2026-31447 in the Linux kernel.
Fixed CVE-2026-31450 in the Linux kernel.
Fixed CVE-2026-31451 in the Linux kernel.
Fixed CVE-2026-31452 in the Linux kernel.
Fixed CVE-2026-31453 in the Linux kernel.
Fixed CVE-2026-31454 in the Linux kernel.
Fixed CVE-2026-31455 in the Linux kernel.
Fixed CVE-2026-31466 in the Linux kernel.
Fixed CVE-2026-31469 in the Linux kernel.
Fixed CVE-2026-31495 in the Linux kernel.
Fixed CVE-2026-31496 in the Linux kernel.
Fixed CVE-2026-31515 in the Linux kernel.
Fixed CVE-2026-31521 in the Linux kernel.
Fixed CVE-2026-31523 in the Linux kernel.
Fixed CVE-2026-31525 in the Linux kernel.
Fixed CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-27140, CVE-2026-27144 in dev-lang/go.
Fixed CVE-2026-34743 in app-arch/xz-utils.
Gemini Enterprise: Custom MCP server data stores (Preview)
You can connect your custom Model Context Protocol (MCP) server with Gemini Enterprise to securely access your company's private data, custom internal tools, and MCP-compliant third-party systems.
This feature is turned off by default. To enable it, an Organization Policy Administrator must remove the organization constraint.
This feature is in Public Preview. For more information, see:
Improved transcription quality for Gemini Live API
You can now improve transcription quality for multilingual automatic speech
recognition (ASR) by using the
[input/output]_audio_transcription.language_codes field.
For more information, see Enable audio transcription for the session.
Asynchronous function calling with Live API
Asynchronous function calling is now available in public
preview in
Gemini Live API. You can run functions in parallel with conversation,
manage background processing, and handle function responses with policies
including SILENT, WHEN_IDLE, and INTERRUPT. For more information, see
Asynchronous function calling with
Gemini Live API.
Cloud Composer is now called Managed Service for Apache Airflow. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) remain unchanged and still reference Composer.
Dataproc and Google Cloud Serverless for Apache Spark are now unified under the Managed Service for Apache Spark brand. This change consolidates our managed Spark deployment options into a single umbrella brand that includes the full breadth of our Spark capabilities. No existing functionality is being removed as part of this change, and there is no impact to the Dataproc API, metastore, client library, CLI, or IAM names.
]]>New validations on paths in API configurations
API Gateway now enforces stricter syntax validations on templated paths when you create new API configurations and gateways.
See path templating syntax rules and limits for more information.
On April 27, 2026 we released an updated version of the Apigee hybrid software, v1.14.4.
Sidecar authentication for Workload Identity Federation on non-GKE platforms
Starting in version v1.14.4, you can now use a sidecar along with Workload Identity Federation on non-GKE platforms to mount security tokens from your preferred identity provider (IDP) for service account authentication. See Use sidecar authentication for Workload Identity Federation on non-GKE platforms.
| Bug ID | Description |
|---|---|
| 471527485, 471173296, 471172082, 471171833 | Security fixes for apigee-synchronizer. This addresses the following vulnerabilities: |
| 471290390, 471199955, 471197958, 470990914 | Security fixes for apigee-runtime. This addresses the following vulnerabilities: |
| 470992132, 470991089, 470989623, 470989232, 470988977 | Security fixes for apigee-mart-server. This addresses the following vulnerabilities: |
| 470953507, 470953254, 470952893 | Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 451224723, 451224123 | Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities:
|
| N/A | Security fixes for apigee-asm-ingress. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-asm-istiod. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-connect-agent. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-envoy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-hybrid-cassandra-client. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-mint-task-scheduler. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-operators. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-prom-prometheus. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-redis. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-stackdriver-logging-agent. This addresses the following vulnerabilities:
|
| N/A | Security fixes for apigee-udca. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-watcher. This addresses the following vulnerability: |
The AI Cost Summary Agent is now available in Preview
You can now use the AI Cost Summary Agent to analyze your AI costs and gain critical insights into your AI-related spend. The agent analyzes spending related to Gemini usage, including Gemini API and Vertex AI.
This feature is available as a widget on the Billing Overview page for your Cloud Billing account.
For more information, see Analyze your AI spend with the AI Cost Summary Agent.
A new quota system governing the configuration size of Application Load Balancer is now available in Preview. This update increases the individual URL map size limit from 64Â KB and 128Â KB to 1Â MB. For more information, see URL map size and quota units.
Key aspects of this feature include:
For more information on increasing your limit or to participate in the preview, please contact Google Cloud Support.
Managed Cloud Service Mesh using the TRAFFIC_DIRECTOR implementation in the
regular channel now supports a limited implementation of the EnvoyFilter API.
To learn about the supported fields, extensions, and how to use EnvoyFilter
for features like local rate limiting see
Data plane extensibility with EnvoyFilter.
To troubleshoot any issue while configuring, see Resolving data plane extensibility issues.
Cloud Storage now offers support for AI zones. To learn more, see AI zones.
Generally available: Cloud TPU now offers TPU availability in AI zones. To learn more, see About AI zones.
Cloud Trace is a service covered by the Cloud Observability (Monitoring, Logging, Trace) Service Level Agreement (SLA).
Cloud Workstations UI supports additional machine series and types, including A2, A3, C3, C4, G4, M3, N4, and Z3. You can also select Confidential C3 standard machine types. For more information, see Available machine types.
The preconfigured base images
include a notification when the running_timeout for the workstation is
close to being reached.
Generally available: Compute Engine now offers support for AI zones. To learn more, see AI zones.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.122 | v27.5.1 | v2.0.8 | See List |
Resolved an issue that could cause soft lockups in stressed environments when iommu.strict=1.
Upgraded app-admin/node-problem-detector to v0.8.25.
Upgraded sys-apps/hwdata to v0.401.
Upgraded sys-process/lsof to v4.99.6.
Upgraded virtual/logger to v0-r3.
Fixed CVE-2026-0994 in dev-libs/protobuf.
Fixed CVE-2026-31414 in the Linux kernel.
Fixed CVE-2026-31415 in the Linux kernel.
Fixed CVE-2026-31416 in the Linux kernel.
Fixed CVE-2026-31418 in the Linux kernel.
Fixed CVE-2026-31421 in the Linux kernel.
Fixed CVE-2026-31423 in the Linux kernel.
Fixed CVE-2026-31424 in the Linux kernel.
Fixed CVE-2026-31426 in the Linux kernel.
Fixed CVE-2026-31427 in the Linux kernel.
Fixed CVE-2026-31428 in the Linux kernel.
Fixed CVE-2026-35414 in net-misc/openssh.
Fixed CVE-2026-4046 in sys-libs/glibc.
Fixed CVE-2026-4437,CVE-2026-4438 in sys-libs/glibc.
Fixed KCTF-a9b8b18 in the Linux kernel.
Upgraded containerd to v2.0.8. This fixes CVE-2026-35469.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.123 | v24.0.9 | v1.7.29 | See List |
Resolved an issue that could cause soft lockups in stressed environments when iommu.strict=1
Upgraded app-admin/node-problem-detector to v0.8.25.
Upgraded sys-process/lsof to v4.99.6.
Fixed CVE-2026-0994 in dev-libs/protobuf.
Fixed CVE-2026-31414 in the Linux kernel.
Fixed CVE-2026-31415 in the Linux kernel.
Fixed CVE-2026-31416 in the Linux kernel.
Fixed CVE-2026-31418 in the Linux kernel.
Fixed CVE-2026-31421 in the Linux kernel.
Fixed CVE-2026-31423 in the Linux kernel.
Fixed CVE-2026-31424 in the Linux kernel.
Fixed CVE-2026-31426 in the Linux kernel.
Fixed CVE-2026-31427 in the Linux kernel.
Fixed CVE-2026-31428 in the Linux kernel.
Fixed CVE-2026-35414 in net-misc/openssh.
Fixed CVE-2026-4046 in sys-libs/glibc.
Fixed CVE-2026-4437,CVE-2026-4438 in sys-libs/glibc.
Fixed KCTF-42156f9 in the Linux kernel.
Fixed KCTF-a9b8b18 in the Linux kernel.
Updated spdystream to v0.5.1 for containerd. This fixed CVE-2026-35469.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.161 | v24.0.9 | v1.7.27 | See List |
Fixed CVE-2026-0994 in dev-libs/protobuf.
Fixed CVE-2026-23360 in the Linux kernel.
Fixed CVE-2026-23401 in the Linux kernel.
Fixed CVE-2026-23414 in the Linux kernel.
Fixed CVE-2026-31414 in the Linux kernel.
Fixed CVE-2026-31415 in the Linux kernel.
Fixed CVE-2026-31416 in the Linux kernel.
Fixed CVE-2026-31418 in the Linux kernel.
Fixed CVE-2026-31421 in the Linux kernel.
Fixed CVE-2026-31423 in the Linux kernel.
Fixed CVE-2026-31424 in the Linux kernel.
Fixed CVE-2026-31427 in the Linux kernel.
Fixed CVE-2026-31428 in the Linux kernel.
Updated spdystream to v0.5.1 for containerd. This fixed CVE-2026-35469.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.68 | v27.5.1 | v2.1.7 | See List |
Resolved an issue that could cause soft lockups in stressed environments when iommu.strict=1
Upgraded app-shells/dash to v0.5.13.2.
Upgraded sys-libs/libseccomp to v2.6.0-r3.
Upgraded sys-process/lsof to v4.99.6.
Fixed CVE-2026-0994 in dev-libs/protobuf.
Fixed CVE-2026-35414 in net-misc/openssh.
Fixed CVE-2026-4437,CVE-2026-4438 in sys-libs/glibc.
Fixed KCTF-7e3955b in the Linux kernel.
Fixed KCTF-a9b8b18 in the Linux kernel.
Upgraded containerd to v2.1.7. This fixes CVE-2026-35469.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
Upgraded app-admin/fluent-bit to v4.2.4.
Upgraded sys-apps/pv to v1.10.4.
Upgraded sys-process/lsof to v4.99.6.
Fixed CVE-2026-0994 in dev-libs/protobuf.
Fixed CVE-2026-35414 in net-misc/openssh.
Fixed CVE-2026-4437,CVE-2026-4438 in sys-libs/glibc.
Fixed KCTF-7e3955b in the Linux kernel.
Fixed KCTF-a9b8b18 in the Linux kernel.
Upgrdaed containerd to v2.2.3. This fixes CVE-2026-35469.
Generally available (GA) with an allowlist: You can now migrate VMware management VMs from their host cluster to a different cluster within the same private cloud. This feature is available to select customers through an allowlist. To migrate management VMs, you must have at least two clusters in your private cloud, and the destination cluster must be a workload cluster. This operation transitions the target workload cluster to a management cluster, and the source management cluster becomes a workload cluster.
Google Kubernetes Engine now offers support for AI zones. To learn more, see AI zones.
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Version 20260423.01 of the guest agent
is now available for all supported operating systems. This version includes
the following fixes:
20260329.00
where dependent services like SSH failed to start due to missing host keys.The Database Center REST and RPC APIs are available in Preview. The Database Center API provides access to an organization-wide, cross-product database fleet health platform. You can use the API to aggregate health, security, and compliance signals from various Google Cloud databases.
For more information, see the Database Center API reference.
Database Center support for Model Context Protocol (MCP) is generally available (GA). You can use the Database Center remote MCP server to connect to Database Center from AI applications such as Gemini CLI, ChatGPT, or Claude. The MCP server provides access to Database Center tools that help you review fleet health, audit inventory, and check for security issues.
For more information, see Use the Database Center remote MCP server and the Database Center MCP tools reference.
Database Center fleet insights are available in Preview. Fleet insights highlight inventory and performance insights generated by Gemini. You can use these insights to identify and understand specific issues in your database fleet.
For more information, see View the performance of your database fleet and View your fleet inventory.
Database Center dashboard reporting is available in Preview. You can configure daily, weekly, and monthly reports that summarize your fleet inventory and health.
For more information, see Create reports for your dashboard views.
Database Center can monitor BigQuery resources. The resources table shows the following for a BigQuery database:
Datasets for a BigQuery database. For more information, see Introduction to datasets.
The number of reservations, which reserve resources, to process queries.
This feature is in Preview.
Database Center lets you monitor active queries across your fleet to identify and analyze query issues, such as slow queries. This feature supports AlloyDB for PostgreSQL and Cloud SQL database products.
For more information, see View the performance of your database fleet.
Monitoring the inventory, metrics, and alerts for Oracle Database@Google Cloud databases using Database Center is generally available (GA). For more information, see Supported health issues.
Cloud Composer is now called Managed Service for Apache Airflow. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) resources remain unchanged. For more information, see Managed Airflow overview.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) resources remain unchanged. For more information, see Knowledge Catalog overview.
Vertex AI is now called Gemini Enterprise Agent Platform. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) resources remain unchanged. For more information, see Agent Platform overview.
Mobile SDK for iOS version 2.15.2 patch
This patch updates the following for the mobile SDK for iOS:
BigLake is now called Google Cloud Lakehouse. BigLake metastore is now called the Lakehouse runtime catalog. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) remain unchanged and still reference BigLake.
]]>Fixed a validation error for engine versions aml-commercial.default.v004.009.202603-000 and aml-commercial.default.v004.010.202603-000 where the 500,000 party account limit was not correctly enforced.
An updated version of the Simba JDBC driver for BigQuery is now available.
You can use window functions with GoogleSQL in Bigtable to perform advanced analytic operations over multiple table rows. This feature is generally available (GA). For more information, see Window functions.
The Cloud Monitoring API MCP server is generally available (GA). To learn about using the Monitoring MCP server to let agents and AI applications interact with your metrics data, see Use the Cloud Monitoring remote MCP server.
The cloudsql_session_read_only session parameter provides a robust,
non-circumventable mechanism in Cloud SQL for PostgreSQL for preventing data
modification during a session. You can use this flag to either make a session
temporarily read-only, or make a session permanently, irreversibly
read-only.
For more information, see Create a read-only session in Cloud SQL for PostgreSQL.
Removed a query insights limitation for Cloud SQL Enterprise Plus edition and Cloud SQL Enterprise edition instances that use PostgreSQL 18.
Instances using PostgreSQL maintenance version 20260319.00_RC02 or any
later version now store application tags when using query insights even if
a query has comment tags before the start of a SQL statement.
Google Distributed Cloud (software only) for bare metal 1.32.1100-gke.84 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.32.1100-gke.84 runs on Kubernetes v1.32.13-gke.100.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following features were added in 1.32.1100-gke.84:
The following issues were fixed in 1.32.1100-gke.84:
Terminating state. Because
the Kubernetes Eviction API rejects operations in terminating namespaces, the
cluster controller entered an infinite retry loop. The fix updates the drain
process to skip eviction for pods in terminal phases, allowing the upgrade to
proceed normally.
etcd-events pod read the stale data directory when it started and attempted
to reuse the old member ID to rejoin the cluster instead of the new one.
Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures the /var/lib/etcd-events directory is
cleared upon failure, and adds retry logic to kubeadm-reset to improve
resiliency against transient API errors.
containerd
restarts. After the fix, tasks are locked and run sequentially to ensure each
task completes successfully before the next begins. Each lock is held for up
to 20 minutes or until the task reaches success or failure.
To bypass this safety mechanismrun and run tasks concurrently, add the
following annotation to your cluster: baremetal.cluster.gke.io/
concurrent-machine-update: "true".
kubeadm-reset during an upgrade or reset could crash and enter an infinite
retry loop, blocking the operation. This occurred because the tool failed to
read cluster configuration on newer Kubernetes versions.The following known issues affect Agent Registry:
SearchAgents or SearchMcpServers APIs for the global location, the results might incorrectly include resources from us and eu multi-regions.The Agent Registry remote Model Context Protocol (MCP) server is available in Preview. You can connect your AI applications to the Agent Registry MCP server to dynamically discover other agents, endpoints, and MCP servers available in your environment.
For more information, see Use the Agent Registry remote MCP server.
Agent Registry is available in Preview. Agent Registry is a centralized catalog for discovering and registering agents and Model Context Protocol (MCP) servers.
For more information, see the Agent Registry overview.
Database Migration Service quick-start migrations (in Preview) are now integrated into AlloyDB to provide a lightweight, continuous migration flow. This feature automates setup for sources with private IPs in a VPC network, including Cloud SQL for PostgreSQL and self-managed databases on Compute Engine.
For more information, see Quick-start migrations overview in the Database Migration Service documentation.
Application Design Center supports the following components in General Availability:
Application Design Center supports the following components in Preview:
If your application deployment fails, you can troubleshoot and fix errors (Preview). For more information, see Troubleshoot and fix deployment issues.
Create a composite template (Preview) using multiple application templates and components. For more information, see Design composite templates.
You can store templates and applications in the following regions:
For more information, see the following:
Use the following Google-provided application templates:
You can now use the visual graph modeler in BigQuery Studio to define BigQuery graph nodes and edges from your BigQuery tables and edit graph schema. This feature is available in Preview.
Dataproc is now called Managed Service for Apache Spark. The names for associated API, client library, CLI, and Identity and Access Management (IAM) resources remain unchanged.
BigLake is now called Google Cloud Lakehouse. BigLake metastore is now called the Lakehouse runtime catalog. The names for associated APIs, client libraries, CLI commands, and Identity and Access Management (IAM) remain unchanged and still reference BigLake.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) names remain unchanged. For more information, see Knowledge Catalog overview.
Looker Studio is now called Data Studio.
The website and endpoint change from lookerstudio.google.com to
datastudio.google.com. You do not need to update your reports for this change,
as Data Studio automatically redirects to the new domain. However,
if your company uses proxies to restrict access to external sites, your IT
administrator needs to add the new domain to your access control list (ACL).
The names for associated API, client library, CLI, and Identity and Access
Management (IAM) resources remain unchanged. For more information, see Data Studio returns as new home for Data Cloud
assets.
BigQuery graphs now support the following features:
GRAPH_EXPAND TVF,
and then query measures in that table with the
AGG function.These features are in Preview.
You can now use the Data Engineering Agent to build, modify, and troubleshoot data pipelines in BigQuery. This feature is generally available (GA).
You can now use the gemini-embedding-2-preview model in the
AI.EMBED,
AI.SIMILARITY,
and
AI.GENERATE_EMBEDDING
functions to generate a single embedding from a combination of input types,
including text, image, audio, video, and PDF files.
This feature is in Preview.
The Bigtable editions feature is generally available (GA). Bigtable editions introduces advanced features in performance, analytic query capability, and resource management. You can choose between the Enterprise and Enterprise Plus edition to select the right capabilities for your workloads. For more information, see Editions overview.
Bigtable provides an in-memory tier as part of its hybrid storage architecture. This tier provides sub-millisecond read latency and high throughput for time-sensitive data with independent vertical scaling to handle traffic surges. The in-memory tier is available only in the Enterprise Plus edition in Preview. For more information, see In-memory tier overview.
Bigtable tiered storage limit increases from 32Â TB to 64Â TB per node. This expansion provides higher storage density to support retention of larger volumes of infrequently accessed data and is available only in the Enterprise Plus edition. Tiered storage is available in Preview.
As part of Bigtable editions, you can use Data Boost to read data from tiered storage and HDD clusters. This feature is available only in the Enterprise Plus edition and is generally available (GA).
As part of Bigtable editions, you can use Data Boost to run GoogleSQL queries. This feature is available only in the Enterprise Plus edition and is generally available (GA). For more information, see High-throughput SQL analysis with Data Boost.
As part of Bigtable editions, you can configure which cluster in a replicated instance is used for automated backups. This feature provides greater cost control and backup resource management. This feature is available only in the Enterprise Plus edition and is generally available (GA). For more information, see Bigtable backups overview.
Managed Service for Apache Airflow supports Gemini Cloud Assist Investigations capabilities. The new troubleshooting agent can now troubleshoot failed Airflow task instances and DAG runs. The feature is available through Gemini Cloud Assist Investigations, which is currently accessible in Private Preview.
You can now use quick-start migrations for homogeneous PostgreSQL migrations to Cloud SQL for PostgreSQL and AlloyDB for PostgreSQL.
Quick-start migrations are a lightweight continuous migration flow where Database Migration Service can automatically set up everything you need to migrate sources that have a private IP assigned in a VPC network, such as self-managed databases on Compute Engine or Cloud SQL for PostgreSQL instances. This feature is in Preview.
Cost optimization with Gemini Cloud Assist provides the following additional features:
For more information, see Optimize costs with Gemini assistance.
App Topology is in Preview. App Topology lets you query data about your resources and applications from multiple sources, and then view the correlated data as a topology graph.
Policy profiles in authorization policies let you define the type of authorization being performed at the load balancer. This feature is available in Preview.
You can choose from the following profile types:
Request authorization profile (REQUEST_AUTHZ): Evaluates access based on
HTTP request headers. Authorization decisions can be made directly or
delegated to custom services. This is the default profile.
Content authorization profile (CONTENT_AUTHZ): Enables deep inspection of
application payloads (headers, body, and trailers). This is used for
content-based security, such as blocking prompt injection attacks and
preventing sensitive data leaks. Authorization decisions are always delegated.
Policy profiles are supported for the following Google Cloud services:
To learn more about policy profiles, see Authorization policy overview.
The Cloud Logging API MCP server is generally available (GA). To learn about using the Logging MCP server to let agents and AI applications interact with your log entries, see Use the Cloud Logging remote MCP server.
Application Monitoring in Google Cloud provides both agent observability and application observability. Your Application Monitoring dashboards display performance metrics, including the error rates and token usage of your AI resources. Those metrics can help you understand the health and performance of your AI resources.
To learn more, see the following:
Preview: Cloud Number Registry provides IP address management (IPAM) capabilities to let you view, manage, and plan your IP address usage in Google Cloud.
Database Migration Service quick-start migrations are now integrated into Cloud SQL for PostgreSQL to provide a lightweight, continuous migration flow. This feature automates setup for sources with private IPs in a VPC network, including Cloud SQL for PostgreSQL instances and self-managed databases on Compute Engine.
For more information, see Quick-start migrations overview in the Database Migration Service documentation. This feature is in Preview.
Generally available: The G4 accelerator-optimized machine series now supports the creation of virtual machine (VM) instances with less than one GPU attached (fractional GPUs). When you create VM instances with fractional GPUs, you can select 1/2, 1/4, or 1/8 of a G4 GPU. Fractional GPUs let you optimize costs for workloads that don't require the resources of a full GPU.
For more information, see the G4 machine series overview.
Config Connector version 1.148.0 is now available.
New Alpha Resources (Direct Reconciler):
ParameterManagerParameterVersion
New features:
MultiClusterLeaseSpec now supports integration with a syncer for KRM objects. This helps Config Connector take ownership of resources with service generated IDs.kompanion: Added a Model Context Protocol (MCP) server to the kompanion tool to enable AI IDEs and assistants to interact with Config Connector resources.Config Connector controllers: Added a --skip-name-validation flag to bypass duplicate controller name checks during registration, facilitating integration tests and multi-manager scenarios.Bug Fixes:
SQLInstance: Fixed an issue where settings.dataCacheConfig was incorrectly detected as different when dataCacheEnabled was false.SQLInstance: Updated matching functions to treat nil values in KRM as equivalent to empty or default objects in Google Cloud, preventing unnecessary re-reconciliation loops.TagKey/TagValue: Handle ALREADY_EXISTS error in TagKey and TagValue controllers by acquiring the existing resource.BigQueryAnalyticsHubDataExchange: Added structured reporting diff to improve visibility into resource changes and fixed reconciliation logic errors.CloudBuildTrigger: Restored missing descriptions in the CRD.RunService: Fixed a typo in environment variable values in samples and test fixtures.Documentation:
ControllerResource and NamespacedControllerResource.config-connector CLI and specifically for the preview command..Dataflow job builder now supports external Iceberg REST Catalogs as a source. You can now ingest data from external Apache Iceberg REST catalogs (IRC) directly into Lakehouse for Apache Iceberg tables using Dataflow's job builder UI without writing code. For more information, see Import data from external Iceberg catalogs to Lakehouse using Dataflow.
Eventarc support for creating triggers for direct events from Gemini Cloud Assist is available in Preview.
Various bug fixes and minor product enhancements.
MCP support is available in Private Preview. To request access, contact your Google Cloud account team. You can interact with Gemini Cloud Assist agents from various surfaces, including third-party client agents and IDEs, using the Model Context Protocol (MCP). For more information, see Integrating with MCP.
Proactive agents are available in Private Preview to Premium Support customers. Enable Gemini Cloud Assist to autonomously investigate issues triggered by Cloud Alerting policies or cost anomalies in the background. These investigations don't modify or make any changes to your environment. Results and insights, such as root cause analysis for alerts or cost spike drivers, are delivered via Eventarc. You can view these results in the Google Cloud console. This feature requires administrator enablement and configuration of an agent identity. For more information, see Configure proactive agents.
Page context awareness is available in Public Preview. Gemini Cloud Assist automatically uses the context of the content currently visible on your Google Cloud console page to provide more relevant and accurate responses to your prompts. For more information, see Manage page context sharing.
Enhanced agent administration controls are available in Public Preview. Administrators have the following options in the Cloud Assist settings panel:
This initial release includes (but is not limited to) the following releases or changes:
gemini-embedding-2) for General Availability.The table below lists all of the features that have been transitioned from Vertex AI and what their new names are in Agent Platform.
| Vertex AI name | Agent Platform name |
|---|---|
| Vertex AI Platform | Agent Platform |
| Generative AI on Vertex AI | Generative AI |
| Vertex AI Studio | Agent Studio |
| Vertex AI API | Agent Platform API |
| Vertex AI Model Garden | Model Garden |
| Vertex AI Models as a Service (MaaS) | MaaS |
| (Gemini/Veo) on Vertex AI | (Gemini/Veo) on Agent Platform |
| (Claude/Llama/DeepSeek/etc.) on Vertex AI | (Claude/Llama/DeepSeek/etc.), available on Agent Platform |
| Pre-trained APIs on Vertex AI | Pre-trained APIs on Agent Platform |
| (Provisioned Throughput/Pay-as-you-go/etc.) on Vertex AI | (Provisioned Throughput/Pay-as-you-go/etc.) on Agent Platform |
| Gemini Live API on Vertex AI | Gemini Live API on Agent Platform |
| Vertex AI Search | Agent Search |
| Vertex AI Search for Industry | Agent Search for Industry |
| Vertex AI Search for Commerce | Agent Search for Commerce |
| Recommendations from Vertex AI Search | Recommendations |
| Vertex AI Conversation | Agent Conversation |
| Vertex AI RAG Engine | RAG Engine |
| Vertex AI Vector Search | Vector Search |
| Vertex AI Vector Search 2.0 | Agent Retrieval |
| Vertex AI Agent Engine | Agent Runtime |
| Vertex AI Studio App Builder | App Builder in Agent Studio |
| Vertex AI Agent Engine Memory Bank | Agent Platform Memory Bank |
| Vertex AI Agent Engine Sessions | Agent Platform Sessions |
| Vertex AI Agent Engine Code Execution | Agent Platform Code Execution |
| Grounding with Google [...] in Vertex AI | Grounding with Google [...] in Agent Platform |
| Grounding with Google [...] in Vertex AI Search | Grounding with Google [...] in Agent Search |
| Grounding with Google [...] in Vertex AI Studio | Grounding with Google [...] in Agent Studio |
| Vertex AI Training | Agent Platform Managed Training |
| Vertex AI Serverless Training | Agent Platform Serverless Training |
| Vertex AI Training Clusters (VTC) | Managed Training Clusters |
| Ray on Vertex AI | Ray on Agent Platform |
| Reinforcement Learning from Human Feedback (RLHF)/Reinforcement Learning (RL) on Vertex AI | Reinforcement Learning on Agent Platform |
| Vertex AI Neural Architecture Search | Neural Architecture Search on Agent Platform |
| Vertex AI Prediction/Vertex AI Inference | Agent Platform Inference |
| Vertex AI Vision | Agent Platform Vision |
| Vertex AI Batch Inference | Agent Platform Batch Inference |
| Vertex AI Online Inference | Agent Platform Online Inference |
| Vertex AI Endpoints | Agent Platform Endpoints |
| Vertex AI Forecasting/Forecasting with AutoML | Forecasting on Agent Platform |
| Vertex AI Pipelines | Agent Platform Pipelines |
| Vertex AI Notebooks | Agent Platform Notebooks |
| Vertex AI Colab Enterprise | Agent Platform Colab Enterprise |
| Vertex AI Workbench | Agent Platform Workbench |
| Vertex AI Workbench Instances | Agent Platform Workbench Instances |
| Vertex AI Feature Store | Agent Platform Feature Store |
| Vertex AI Model Registry | Agent Platform Model Registry |
| Vertex AI Model Evaluation | Agent Platform Model Evaluation |
| Gen AI evaluation service on Vertex AI | Gen AI evals |
| Vertex AI AutoML (Vision/Video/Tables) | Agent Platform AutoML |
| Data Labeling on Vertex AI | Data Labeling |
| Vertex AI on GDC | Agent Platform on GDC |
| Vertex AI Experiments | Experiments on Agent Platform |
| Vertex AI Model Monitoring | Model Monitoring on Agent Platform |
| Vertex AI Media Studio | Agent Media Studio |
| Vertex AI | Agent Platform |
| Vertex AI Generative AI | Agent Platform Generative AI |
The following known issues affect Gemini Enterprise Agent Platform:
audio_track_extraction feature does not work. For more information, see Issue #504505771.Google Distributed Cloud (software only) for bare metal 1.33.700-gke.71 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.33.700-gke.71 runs on Kubernetes v1.33.5-gke.2200.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following features were added in 1.33.700-gke.71:
A health check was added to detect when secrets or config maps mounted in pods become "stale," or out-of-sync with the Kubernetes API server. This feature addresses scenarios where the Kubelet's local cache fails to update with the latest versions of configuration data. The check performs the following actions:
The following issues were fixed in 1.33.700-gke.71:
containerd
restarts. After the fix, tasks are locked and run sequentially to ensure each
task completes successfully before the next begins. Each lock is held for up
to 20 minutes or until the task reaches success or failure.
To bypass this safety mechanismrun and run tasks concurrently, add the
following annotation to your cluster: baremetal.cluster.gke.io/concurrent-machine-update: "true".
etcd-events pod read the stale data directory when it started and attempted
to reuse the old member ID to rejoin the cluster instead of the new one.
Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures that the system clears the /var/lib/etcd-events directory upon
failure, and adds retry logic to kubeadm-reset to improve
resiliency against transient API errors.Terminating state. Because
the Kubernetes Eviction API rejects operations in terminating namespaces, the
cluster controller entered an infinite retry loop. The fix updates the drain
process to skip eviction for pods in terminal phases, allowing the upgrade to
proceed normally.kubectl top,
Horizontal Pod Autoscaling, and Vertical Pod Autoscaling could
fail with TLS verification errors during certificate authority rotation. This
occurred because the leaf certificate was not immediately renewed when the
certificate authority was rotated, causing a temporary mismatch between the
trusted certificate authority bundle and the certificate presented by the
metrics server.GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
There are no new releases in the Stable channel.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2407000 | cos-117-18613-534-80 | cos-117-18613-534-80 release notes |
| 1.32.13-gke.1362000 | cos-117-18613-534-80 | cos-117-18613-534-80 release notes |
| 1.33.11-gke.1013000 | cos-121-18867-381-63 | cos-121-18867-381-63 release notes |
| 1.34.6-gke.1307000 | cos-125-19216-220-130 | cos-125-19216-220-130 release notes |
| 1.35.3-gke.1522000 | cos-125-19216-220-130 | cos-125-19216-220-130 release notes |
There are no new releases in the Stable channel.
Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the Migration guide and Community post to begin your transition.
This migration applies to you only if your SIEM instance meets one of the conditions below:
This migration does not apply to you if your SIEM instance meets all the conditions below:
Netskope: Version 17.0
The following new actions have been added:
Add Entities to URL List
Deploy URL List Changes
Netskope: Version 17.0
Added a new Use V2 API parameter to the following actions:
List Clients
List Quarantined Files
Integration: Added support for V2 API endpoints and OAuth 2.0 authentication.
Qualys VM: Version 26.0
SCC Enterprise: Version 21.0
Updated ticket synchronization logic in the following job:
McAfee Mvision EDR: Version 12.0
Login API Root as a
customizable parameter.Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the Migration guide and Community post to begin your transition.
This migration applies to you only if your SIEM instance meets one of the conditions below:
This migration does not apply to you if your SIEM instance meets all the conditions below:
Privileged Access Manager supports agent identities as grant requesters and approvers.
This feature is available in preview.
For more information, see Privileged Access Manager overview.
Agent Identity auth manager is available in preview. You can use Agent Identity auth manager to help securely authenticate your agents to third-party services using 3-legged OAuth, 2-legged OAuth, or API keys.
For more information, see Agent Identity auth manager.
Agent Identity is generally available (GA). Agent Identity provides a strongly attested, cryptographic identity for each agent that is tied to the lifecycle of the resource hosting the agent.
For more information, see Agent Identity overview.
Migrate to Virtual Machines now lets you use regional disks for the target virtual machine (VM) instance.
When Security Command Center is activated at the project level only, you can enable Vulnerability Assessment for Google Cloud on the single project.
Security Command Center has new predefined rules and controls:
Additional predefined security graph rules to support Agent Runtime
Additional support in existing correlated threats rules for Agent Runtime
Additional runtime detectors in Agent Platform Threat Detection
Additional Event Threat Detection rules to support AI agents
Security Command Center findings that are related to AI security risks are available in the Security tab of the Gemini Enterprise Agent Platform. The feature helps provide comprehensive visibility into findings, active threats, and attack path simulations. This feature requires Security Command Center Premium or Enterprise.
For more information, see View security findings.
Preview stage support for the following integration:
Preview stage support for the following integration:
Agent Search: MCP server (GA)
Agent Search has a Model Context Protocol (MCP) server hosted at the
following endpoint: https://discoveryengine.googleapis.com/mcp
This feature is generally available (GA). For more information, see MCP Reference: discoveryengine.googleapis.com.
Agent Search: Dense reciprocal rank for custom ranking
You can use the dense reciprocal rank transformation function, drr, to
customize search result ranking. It's an improvement on the reciprocal rank
function, rr. Using the dense reciprocal rank function leads to higher
quality ranking when there are duplicate signal values.
Duplicate signal values are more common when the ranking formula contains the following types of signal:
boosting_factor signalgeo_distance() function signalThis feature is generally available (GA). For more information, see Customize search results ranking.
Agent Search: Geodistance function for custom ranking (GA)
The geo_distance function can be used in custom ranking formulas to calculate
the distance between a source location and a destination location. The function
supports query locations extracted from natural language, explicitly provided
coordinates, and addresses.
This feature is generally available (GA). For more information, see Custom ranking: Geodistance—a derived signal.
Agent Search: Filter searches by document-level relevance (GA)
When searching in your Agent Search app, you can specify document-level relevance filters so that only the documents that meet the filter threshold are returned as results.
You can specify either the relevance threshold or semantic-relevance threshold to filter documents by relevance based on keyword and semantic search similarity.
This feature is Generally Available (GA). For more information, see Filter searches by document-level relevance.
Agent Search: Renamed from Vertex AI Search
The Vertex AI Search product has been renamed as Agent Search in the following contexts:
What has not changed:
The user interface in the Google Cloud console is still referred to as Vertex AI Search and AI Applications. See Vertex AI Search.
The APIs still use the Discovery Engine API endpoints. See APIs and reference.
Despite the rebrand, the product functionality remains the same.
reCAPTCHA is part of Google Cloud Fraud Defense, a suite of security products designed to protect your websites and applications from fraud and abuse. This change does not affect existing reCAPTCHA functionality. For more information, see Google Cloud Fraud Defense.
]]>The integration between AlloyDB for PostgreSQL and Knowledge Catalog (in Preview) is now enabled by default for all new AlloyDB clusters.
This integration provides a unified view of your metadata to simplify data governance and analysis. Recent enhancements feature near real-time synchronization, with updates reflecting in Knowledge Catalog within minutes, as well as expanded metadata details that now include Primary Keys and Foreign Keys.
For more information, see Integrate AlloyDB for PostgreSQL with Knowledge Catalog.
You can now use the AlloyDB columnar engine to act as a read-optimized, in-memory cache for HNSW indexes. This increases the number of queries per second (QPS) that your database can handle for vector search workloads. This feature is available in Preview.
For more information, see Accelerate vector search with the columnar engine.
You can now visualize BigQuery graph query results and graph schemas directly in BigQuery Studio, without the need of a notebook environment. This feature is in Preview.
Cloud Asset Inventory now supports listing assets over Model Context Protocol (MCP) (Preview).
You can now create an account connector using a custom OAuth client.
You can now use Git proxy with account connectors.
Gemini Enterprise: View agent identity (Preview)
As a Gemini Enterprise administrator, you can view an agent's identity on the Agent details page. This is typically the agent's SPIFFE ID.
This feature is in Public Preview. If the SPIFFE ID is not published by the publisher, the Agent Registry resource ID is displayed as a fallback. For more information, see Agent identity.
Gemini Enterprise: Register agents using A2UI and A2A with Gemini Enterprise (Preview)
Gemini Enterprise administrators can register and manage agents using Agent to UI (A2UI) to build custom interfaces and the Agent2Agent (A2A) Protocol for communication with Gemini Enterprise.
This feature is in Public Preview. For more information, see:
For clusters running GKE version 1.35.3-gke.1389000 or later,
you can now use the c4a-highmem-96-metal
(Preview) machine
type from the C4A machine series with the following features:
Starting in GKE version 1.35.2-gke.1842000, you can install the Slurm Operator add-on for GKE (Preview). This managed installation of the Slurm Operator allows you to enable Slurm scheduling capabilities on any GKE cluster. The add-on provides the foundation to build customized AI and HPC platforms, including CPU, GPU, and TPU machines (covering specific scenarios). For more information, see About Slurm on GKE.
Spanner full-text search supports
custom dictionaries
to create custom synonym mappings. You can use custom dictionaries with the
SEARCH, SCORE, and SNIPPET functions.
You can now use the Database Insights remote MCP server to analyze AlloyDB's performance and system metrics. This feature is in GA.
The AlloyDB remote MCP server—available through the global endpoint—is now generally available (GA) and includes support for the following:
For more information, see Use the AlloyDB remote MCP server.
ChatGPT users aren't able to list or use the AlloyDB toolset provided by the AlloyDB remote MCP server.
On April 20, 2026 we released an updated version of the Apigee hybrid software, v1.16.1.
| Bug ID | Description |
|---|---|
| 469900037 | Apigee hybrid now supports LLMTokenQuota and PromptTokenLimit policies. |
| 502577947 | Enhanced the ParsePayload policy to support a broader set of Model Context Protocol (MCP) methods and implemented governance bypass for essential system-level methods. |
| 503029410 | Removed PII from ParsePayload policy outputs to improve security and privacy. |
| Bug ID | Description |
|---|---|
| 485998102, 482978613 | Security fixes for apigee-runtime, apigee-mart-server, and apigee-synchronizer. This addresses the following vulnerabilities: |
| 471527485, 471173296, 471172082, 471171833 | Security fixes for apigee-synchronizer. This addresses the following vulnerabilities: |
| 454672970 | Security fix for apigee-runtime. This adds strict input validation to the IntegrationRegion parameter in the SetIntegrationRequest policy to prevent potential server-side request forgery (SSRF). |
| 493067053, 493061344, 492959383, 492957334, 492359443, 492358696, 492067139, 490280970, 489908390, 489907729, 489489437, 488070159, 485580973 | Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 494902472, 493902764, 493747531, 493747186, 493066364, 492956556, 492812098, 492810982, 492737291, 492733739, 492067214, 491191150, 490628133, 490627481, 490279890, 490278396, 489905507, 489904404, 477290192 | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| 494874583, 493352686, 493350530, 493065065, 492958506, 492958221, 492810419, 492734198, 492360831, 491606491, 491602959, 490628958, 490628720, 490625335, 489487288, 477290192 | Security fixes for apigee-watcher. This addresses the following vulnerabilities: |
| 493904046, 493748763, 493353749, 492959837, 492959353, 492958532, 492734063, 492358967, 491163162, 489907974, 489494841, 477290192 | Security fixes for apigee-operators. This addresses the following vulnerabilities: |
| 493940049, 493935866, 492812693, 492811208, 490847438, 490285784, 443494822, 430609333, 428036268, 428035602 | Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities: |
| 494873893, 492957899, 492811896, 492735230, 492734621, 492362013, 492358145, 492044636, 491192904, 491163716, 490628292, 490283689, 489908590, 489487798, 485998102, 482978613 | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerabilities: |
| 495206280, 492736206, 492358267, 491606961, 491603879, 490845184, 490842872, 490626346, 490625529, 490278258, 489155677 | Security fixes for apigee-udca. This addresses the following vulnerability: |
| 492959491, 492959470, 492959266, 492812323, 492736535, 492736355, 492736200, 492734720, 492549333, 492528258, 492528186, 492361814, 492360845, 492359742, 492359020, 492039084, 490625473, 489488025, 489120498 | Security fixes for apigee-prometheus-adapter. This addresses the following vulnerability: |
| 492959323, 492958717, 492813153, 492736850, 492736096, 492735265, 492360419, 492359937, 492359237, 492041473, 491604321, 491602140, 490847572, 490627493, 490282905, 489151338, 489127231 | Security fixes for apigee-redis. This addresses the following vulnerability: |
| 492736867, 492735320, 492550947, 492549407, 492360316, 492359543, 492358244, 491608063, 491603446, 491169265, 490282128, 490278007, 490276323, 489127588, 489124394 | Security fixes for apigee-asm-ingress. This addresses the following vulnerability: |
| 492956844, 492956300, 492812417, 492811007, 492810814, 492528300, 492361776, 492360457, 492360310, 492360053, 492358006, 492037890, 491606683, 489492294, 489152529 | Security fixes for apigee-asm-istiod. This addresses the following vulnerabilities: |
Starting July 25, 2026, the BigQuery Data Transfer Service for Facebook Ads
connector will update the data type
mapping for the ActionValue field in the AdInsightsActions report from INT
to FLOAT.
The following features have been added to Python UDFs during Preview:
RecordBatch interface for improved performance.container_request_concurrency, is available for the CREATE FUNCTION
statement. This option controls the maximum number of concurrent requests
per Python UDF container instance.external_service_costs column in the INFORMATION_SCHEMA.JOBS view and in
the ExternalServiceCosts field in the Job API.You can now migrate metadata from external data catalogs to BigLake tables for Apache Iceberg. This feature supports external data catalogs such as such as Apache Hive Metastore and Apache Iceberg REST Catalog. This feature is in Preview.
You can use the BigQuery MCP server to perform a range of data-related tasks with your AI applications including:
This feature is Generally Available (GA).
You can now publish a BigQuery Conversational Analytics agent in Gemini Enterprise. This feature is in Preview.
You can now use the notebook gallery in the BigQuery web UI as your central hub for discovering and using prebuilt notebook templates. This feature is generally available (GA).
You can use the Database Insights remote MCP server to analyze Bigtable's performance and system metrics. This feature is generally available (GA).
Bigtable continuous materialized views are generally available (GA). These views let you create precomputed tables that Bigtable automatically keeps in sync with your source data for low-latency queries and real-time insights.
Bigtable free trial instances are generally available (GA). These instances let you learn and explore Bigtable features for 90 days at no cost, providing a 1-node SSD cluster and up to 500Â GB of storage. For more information, see Free trial instances overview.
The Bigtable remote MCP server is generally available (GA). The Bigtable remote MCP server lets you interact with Bigtable instances from LLMs, AI applications, and AI-enabled development platforms.
GKE workload recommenders now available in the FinOps hub
You can now view recommendations for right-sizing overprovisioned workloads and optimizing underprovisioned workloads for Google Kubernetes Engine (GKE) clusters directly in the FinOps hub.
For more information, see Optimize workload resource utilization.
Cloud Run ephemeral disk, which allows you to mount a volume that persists only for the duration of your service, job, or worker pool instance, is in Preview.
You can use the Database Insights remote MCP server to analyze Cloud SQL for MySQL's performance and system metrics. This feature is in GA.
You can use the Database Insights remote MCP server to analyze Cloud SQL for PostgreSQL's performance and system metrics. This feature is in GA.
You can use the Database Insights remote MCP server to analyze Cloud SQL for SQL Server's performance and system metrics. This feature is in GA.
Cloud Storage Model Context Protocol (MCP) server is generally available. You can connect to Cloud Storage from AI applications using the server. It lets AI applications and agents create buckets, retrieve object metadata, read and write object data, and list buckets and objects. For more information, see Use the Cloud Storage MCP server and Cloud Storage MCP reference.
Generally available: You can use the Compute Engine remote Model Context Protocol (MCP) server to let AI agents and AI applications manage Compute Engine resources, such as Compute Engine instances, managed instance groups, disks, and snapshots. For more information, see Use the Compute Engine remote MCP server.
The Firestore emulator now supports Enterprise edition. See Start emulator in specific edition.
Firestore Enterprise edition in Native mode and the Pipeline operations interface are now supported at the General Availability (GA) level.
Firestore Enterprise edition now supports Text search and Geospatial search.
These features are in Preview.
The Firestore remote MCP server is now supported at the General Availability (GA) level.
You can now use pipeline operations to perform joins with subqueries. To learn more, see Perform joins with subqueries.
Firestore Enterprise edition now supports the
update(...) and delete() pipeline operation stages.
Use these stages to Modify data with Pipeline operations.
This feature is in Preview.
The maximum document size has been increased to 16 MiB. To learn more, see Behavior differences.
Support for text and geospatial search. You
can create text indexes, perform text and geospatial search queries using
the $text and $near operators, handle language settings, and calculate
relevance scores. To learn more, see Text search
and Geospatial search.
These features are available in Preview.
$lookup now supports let and pipeline.
Support for Change Streams. Change streams let applications access real-time changes (inserts, updates, and deletes) made to a collection or to an entire database.
This feature is available in Preview.
Support for the drop() command to delete entire collections.
This feature is available in Preview.
Gemini Enterprise: Request access to Google Cloud Marketplace agents (Preview)
End users can request access to Google Cloud Marketplace agents from Agent Gallery. Admins can configure the visibility of these agents, view purchase requests, and manage access requests.
This feature is in Public Preview. For more information, see:
Gemini Enterprise: Register ADK agents hosted on Vertex AI Agent Engine
You can register ADK agents hosted on Vertex AI Agent Engine with Gemini Enterprise. This includes agents running within Vertex AI Agent Engine in a different Google Cloud project. This feature is generally available (GA).
For more information, see:
Accelerator network profile is Generally Available (GA), simplifying your AI/ML node pool setup. Accelerator network profile automates networking configuration, including the creation of necessary VPCs and subnets, removing the need for complex, manual steps previously required for configuring GPU and TPU workloads. For details, see Configure automated networking for accelerator VMs.
Knowledge Catalog discovers links between data assets, helping you understand how they connect and the nature of their relationships. This feature is available in preview. For more information, see View data relationships in Knowledge Catalog.
Now available in preview, the Looker VS Code Extension brings LookML development to local desktop IDEs like Visual Studio Code, Claude Code, and Cursor. The extension supports syntax highlighting, autocomplete, real-time file synchronization with your Looker instance, and LookML validation. With the Looker MCP server, it enables AI-assisted development, allowing you to use natural language with agents like Gemini to generate and edit LookML code.
Migrate to Virtual Machines now supports the following operating systems for VMware, AWS, Azure, and image import sources:
CentOS is not supported on ARM architecture.
Oracle Database@Google Cloud integrates with Database Center to provide fleet-wide insights, proactive alerts, and actionable recommendations for your Oracle Database@Google Cloud resources, including Oracle Exadata and Autonomous databases. For more information, see Monitor the health of your Oracle Database@Google Cloud resources in Database Center.
This feature is Generally Available (GA).
Google SecOps for SAP is in Preview
Google SecOps for SAP is in Preview. This service helps you secure your SAP applications by integrating business-critical telemetry into the Google Security Operations platform, providing unified visibility and AI-powered threat detection across your SAP landscape.
For more information, see Google SecOps for SAP overview.
The Spanner remote MCP server is generally available (GA). The Spanner remote MCP server lets you interact with Spanner instances from LLMs, AI applications, and AI-enabled development platforms.
You can use the Database Insights remote MCP server to analyze Spanner's performance and system metrics. This feature is generally available (GA).
You can now use Spanner Studio to visually create and manage a Spanner Graph schema. Visual modeling simplifies graph design by enabling you to map nodes and edges through an intuitive interface instead of creating manual DDL statements. This feature is available in Preview.
]]>New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Newly created Cloud SQL instances are integrating with Knowledge Catalog (formerly Dataplex Universal Catalog) for data discovery. Instances on MySQL version 8.0 or later will have updates sent to Knowledge Catalog in near real-time. As part of this automatic enablement, we will send metadata to Knowledge Catalog. You can verify if your instance is enabled for integration with Knowledge Catalog by looking at the configuration pane in the Knowledge Catalog console. If you don't want your instance to be integrated with Knowledge Catalog, you can turn off this feature.
For more information, see Near real-time.
Newly created Cloud SQL instances are integrating with Knowledge Catalog (formerly Dataplex Universal Catalog) for data discovery. Instances on PostgreSQL version 14.0 or later will have updates sent to Knowledge Catalog in near real-time. As part of this automatic enablement, we will send metadata to Knowledge Catalog. You can verify if your instance is enabled for integration with Knowledge Catalog by looking at the configuration pane in the Knowledge Catalog console. If you don't want your instance to be integrated with Knowledge Catalog, you can turn off this feature.
For more information, see Near real-time.
Newly created Cloud SQL instances are integrating with Knowledge Catalog (formerly Dataplex Universal Catalog) for data discovery. As part of this automatic enablement, we will send metadata to Knowledge Catalog. You can verify if your instance is enabled for integration with Knowledge Catalog by looking at the configuration pane in the Knowledge Catalog console. If you don't want your instance to be integrated with Knowledge Catalog, you can turn off this feature.
For more information, see Create a new instance with Knowledge Catalog integration enabled.
]]>When querying your Elasticsearch data using
standard SQL queries and specifying an
OFFSET, if the OFFSET gets pushed down, it gets applied twice. For example,
if your SQL query contains OFFSET 5, AlloyDB tries
to push the OFFSET down. Then, AlloyDB applies the
OFFSET again when the results are returned.
External search with AlloyDB now supports Elasticsearch in Preview.
With this update, you can use the external_search_fdw extension to connect to Elasticsearch and perform hybrid searches within AlloyDB. This integration allows you to combine the capabilities of AlloyDB with Elasticsearch for advanced search scenarios. For more information, see Access Elasticsearch data from AlloyDB.
The following AlloyDB AI function capabilities are available in Preview:
AI Function Apply node to run faster queries with AI functions. This feature optimizes the execution of SQL queries that use the ai.if and ai.rank functions in PostgreSQL 17. For more information, see Accelerate performance for queries with AI functions.You can now use the sentiment analysis and summarization functions. These functions let you process and analyze unstructured data directly in your database:
ai.analyze_sentiment: classifies the emotional tone of text as positive, negative, or neutral, helping you analyze real-time customer feedback from thousands of raw, unstructured product reviews.ai.summarize: condenses lengthy text into its essential information. Use this to extract key decisions and action items from sources like meeting transcripts or technical documentation.ai.agg_summarize: an aggregate function that processes multiple rows in a column to generate a single, unified summary for a group. For instance, you can summarize all reviews for a specific seller using a GROUP BY clause.For more information, see Evaluate sentiment and Summarize content.
App Optimize API is in Preview. App Optimize API helps you to monitor, analyze, and improve the performance and cost-efficiency of your cloud applications.
Using folders to organize and control access to single file code assets is generally available (GA). In addition, you can perform bulk move and delete operations, refresh folder contents, and view full breadcrumb paths based on resource permissions. For more information, see Create and manage folders.
You can now integrate Cloud SQL for SQL Server with Vertex AI and third-party models (Preview).
By integrating your Cloud SQL for SQL Server instance with Vertex AI, you can generate vector embeddings from models hosted in Vertex AI directly from your Cloud SQL instance.
Cloud SQL for SQL Server supports model endpoints from the following sources:
For more information, see Integrate Cloud SQL for SQL Server with Vertex AI.
Cloud Scheduler is available in the following locations:
europe-west4 (Eemshaven, Netherlands)me-central1 (Doha, Qatar)me-central2 (Dammam, Saudi Arabia)me-west1 (Tel Aviv, Israel)Generally available: You can create a Hyperdisk Balanced High Availability disk by cloning a zonal Hyperdisk Balanced or Hyperdisk Extreme disk. This lets you make your zonal workloads highly available by adding a replica of the data in another zone within the same region.
For more information, see Create a regional disk clone from a zonal disk.
Various bug fixes and minor product enhancements.
Various bug fixes and minor product enhancements.
RAG Cross Corpus Retrieval
RAG Cross Corpus Retrieval is available in public preview. This feature allows you to retrieve relevant contexts or generate answers from multiple RAG corpora simultaneously using the AsyncRetrieveContexts and AskContexts APIs.
For more information, see RAG Cross Corpus Retrieval.
The Managed Service for Apache Kafka remote MCP server is generally available (GA).
Data quality now supports rule reusability. You can now define data quality rules as templates and reuse them across multiple catalog entries to standardize your data quality processes. You can also use a shared library of system rule templates for common data validation scenarios. For more information, see Reuse data quality rules.
You can now build and run a Knowledge Catalog discovery agent to get more relevant search results for complex natural language queries.
For more information, see Build an agent to discover your data.
To further refine lineage graphs, Knowledge Catalog lineage views include new highlight and filter modes. This feature is available in preview. For more information, see Apply filters and highlighting for a focused view.
The Memorystore for Redis remote MCP server is Generally Available.
The Memorystore for Valkey remote MCP server is Generally Available.
You can secure access to your instances by using basic token-based authentication. This feature is available in Preview.
The ONTAP-mode for the Flex Unified pools is generally available (GA). For more information about this new mode, see About ONTAP-mode.
Google Cloud NetApp Volumes Flex Unified service level is generally available (GA) for NFS, SMB, and NVMe/TCP protocols. For more information, see Key features.
The large capacity volumes feature, a file-only solution with NFS and SMB protocols for massive datasets, is generally available (GA) for the Flex Unified service level. For more information, see Large capacity volumes.
You can use the Network Management API remote Model Context Protocol (MCP) server to create, view, and delete Connectivity Tests.
You can now use the Oracle Database@Google Cloud remote MCP server. The remote MCP server lets you interact easily with Oracle Database@Google Cloud resources from LLMs, AI applications, and AI-enabled development platforms.
This feature is in Preview.
The Pub/Sub remote MCP server is generally available (GA).
Through the Application Design Center, Security Command Center helps you perform proactive security assessments (Preview) throughout your application development lifecycle. This integration shows both design-time and runtime findings in Security Command Center. For more information, see Application lifecycle security assessments.
Data Security Posture Management has new controls in Preview. The controls help you secure Cloud Storage objects and include the following:
For more information, see Advanced data governance and security cloud controls.
You can use authorization extensions to insert custom services directly into the Secure Web Proxy processing path. This feature is in Preview. For more information, see Callouts for Secure Web Proxy.
Authorization extensions support authorization policy request and content profiles in Preview.
Repeatable read isolation is generally available. You can use it to reduce latency and transaction failure rates for workloads that have many reads contending with fewer writes. For more information, see Repeatable read isolation.
Spanner supports Gemini Cloud Assist investigation capabilities. You can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium support contract.
For more information, see monitor and troubleshoot your Spanner instance with AI assistance.
Columnar engine for Spanner is now generally available (GA). Columnar engine is a storage technique used with analytical queries to make scans up to 200 times faster on live operational data without affecting transaction workloads. This release enables support for Columnar Engine in databases that use the Postgres interface.
For more information, see the Columnar engine for Spanner overview.
]]>Generally available: The AI Hypercomputer documentation includes support for the A3 Mega and A3 High machine types. The addition of A3 Mega and A3 High expand the available compute options for training and serving large-scale AI models on Google Kubernetes Engine (GKE) and Compute Engine.
To support this effort, several new pages have been added and existing pages updated in the AI Hypercomputer documentation where relevant. These updates provide comprehensive guidance for deploying, managing, and optimizing the A3 Mega and A3 High machine types within the AI Hypercomputer stack.
New documentation pages include the following:
The following vector search improvements are now available in Preview:
alloydb_scann extension now supports four-level tree indexes,
providing support for tables with up to 10 billion vector rows. For more
information, see Four-level ScaNN tree
indexes.Adaptive filtering from inline filtering to pre-filtering is now generally available (GA). With AlloyDB AI, you can use adaptive filtering to optimize filtered vector searches. This feature enables the query optimizer to use cost-based analysis to dynamically choose the most efficient filtering strategy—either inline filtering or pre-filtering—based on real-time data distributions. This improves filtered vector search performance without requiring manual tuning or intervention. Note that the feature adaptive filtering from pre-filtering to inline filtering is still in Preview.
For more information, see Understand adaptive filtering in AlloyDB AI.
The alloydb_scann extension is updated to include the following
vector search improvements. These features are generally available
(GA):
Conversational analytics now supports querying Lakehouse tables that connect to the Apache Iceberg REST catalog or are federated to an external catalog. For more information, see Query BigLake data with natural language.
This feature is in Preview.
You can now use Colab Data Apps to transform your data analyses from Colab notebooks into polished, interactive applications.
This feature is in Preview.
You can now use the
AI.KEY_DRIVERS function
to identify segments of data that cause statistically significant changes to a
summable metric.
This feature is in Preview.
You can stream messages from Pub/Sub directly to a Bigtable table using Bigtable subscriptions. This feature lets you write streaming messages to Bigtable without needing a separate subscriber such as Dataflow. This feature is available in Preview.
Support for specifying custom CPU or concurrency targets using scaling controls is in Preview.
The Cloud SQL remote MCP server is generally available (GA). The Cloud SQL remote MCP server lets you interact easily with Cloud SQL instances from LLMs, AI applications, and AI-enabled development platforms.
You can use DNS automation on Cloud SQL instances where Private Service Connect is enabled to provision and manage per-instance DNS records automatically. On Enterprise Plus edition instances where DNS automation is enabled, you can also enable a global write endpoint DNS that automatically resolves to your current primary instance.
This feature is in Preview.
The Cloud SQL remote MCP server is generally available (GA). The Cloud SQL remote MCP server lets you interact easily with Cloud SQL instances from LLMs, AI applications, and AI-enabled development platforms.
You can use DNS automation on Cloud SQL instances where Private Service Connect is enabled to provision and manage per-instance DNS records automatically. On Enterprise Plus edition instances where DNS automation is enabled, you can also enable a global write endpoint DNS that automatically resolves to your current primary instance.
This feature is in Preview.
The Cloud SQL remote MCP server is generally available (GA). The Cloud SQL remote MCP server lets you interact easily with Cloud SQL instances from LLMs, AI applications, and AI-enabled development platforms.
You can use DNS automation on Cloud SQL instances where Private Service Connect is enabled to provision and manage per-instance DNS records automatically. On Enterprise Plus edition instances where DNS automation is enabled, you can also enable a global write endpoint DNS that automatically resolves to your current primary instance.
This feature is in Preview.
Cluster Toolkit version v1.88.0 is available. This release adds dynamic
machine configurations by using the Compute Engine API. This release also
refactors the naming convention for Helm releases within the kubectl-apply
module, which helps to improve the predictability and maintainability of
deployed resources. For details, see the Release announcement on
GitHub.
Generally available: To ensure data consistency when backing up multiple disks, you can use consistency groups of instant snapshots to back up a group of disks at the same point in time.
For more information, see About instant snapshots.
Preview: You can specify a 120-second preemption notice duration while creating Spot VMs. Use this feature for workloads on Spot VMs where you want up to an additional 120 seconds for handling preemption. If you want to migrate existing Spot VMs workloads, make sure you update your workload to handle preemption outside of a shutdown script and test preemption. For more information, see Spot VMs and Create and use Spot VMs.
Generally available: You can rotate the customer-managed encryption key (CMEK) used to encrypt a disk, standard snapshot, or archive snapshot to a new key version without downtime.
Generally available: You can change the CMEK used to encrypt a disk, standard snapshot, or archive snapshot to a different key without downtime.
For more information, see Rotate the CMEK for a disk or standard snapshot and Change the CMEK for a disk or standard snapshot.
You can connect Dataform repositories to third-party Git repositories using Developer Connect, removing the need for manual secrets management and enabling support for repositories in privately hosted networks. This feature is generally available (GA).
You can now create a Datastream stream directly from the overview page of your AlloyDB for PostgreSQL instance using the automated flow. The automated flow simplifies the process of moving data to BigQuery by reducing the number of steps that you need to perform.
For more information, see Create an AlloyDB for PostgreSQL stream using the automated flow.
Various bug fixes and minor product enhancements.
As of April 16th, 2026, the geminicloudassist.googleapis.com API has been
automatically enabled on projects that meet all of the following criteria:
cloudaicompanion.googleapis.com API enabled on April 16, 2026.geminicloudassist.googleapis.com API enabled on
April 16, 2026.The Gemini Cloud Assist chat functionality that was previously served by
cloudaicompanion.googleapis.com is now served by
geminicloudassist.googleapis.com, and both APIs are dependencies to use
Gemini Cloud Assist. This automatic API enablement ensures that users have
access to the same functionality without any loss of service.
Data insights for unstructured data transforms dark data or unstructured files in the form of PDFs in Cloud Storage into structured, queryable assets. This feature is now available in preview.
For more information, see About data insights for unstructured data.
Automated cataloging of Iceberg REST Catalog (IRC) for Google Cloud Lakehouse runtime catalog is now generally available (GA). This includes support for lineage, data profiling, data quality, and data insights.
Federated support for Databricks Unity IRC, AWS Glue Data Catalog IRC, and Snowflake Horizon IRC is available in preview.
For more information, see About metadata management in Knowledge Catalog.
You can migrate your workloads from your self-managed Redis and Valkey instances that run in Google Cloud Platform into Memorystore for Valkey. This feature is available in Preview.
The shared and customer-managed Certificate Authority (CA) modes are Generally Available.
You can stream messages from Pub/Sub directly to a Bigtable table using Bigtable subscriptions. This feature lets you write streaming messages to Bigtable without needing a separate subscriber such as Dataflow. This feature is available in Preview.
Integrated secret synchronization feature is now Generally Available (GA). You can automatically synchronize secrets from Secret Manager into Kubernetes Secret objects within your Google Kubernetes Engine (GKE) clusters. This process allows applications to access secrets from Secret Manager using standard Kubernetes methods, such as environment variables or volume mounts. Applications that are already configured to read secrets from Kubernetes Secret object can now seamlessly read secrets in Secret Manager.
For more information, see Synchronize secrets to Kubernetes Secrets.
AI Protection supports agentic workloads in Preview, including Gemini Enterprise Agent Platform and Model Context Protocol (MCP) servers. This update includes the following:
The AlloyDB for PostgreSQL index advisor is enabled by default. It provides vector search index recommendations for Scalable Nearest Neighbors (ScaNN) indexes. For more information, see Use the index advisor.
Platform logs can record data about successful and failed requests made to Artifact Registry repositories. For more information, see Access and use platform logs.
BigQuery Apache Iceberg external tables now support Iceberg version 3, including binary deletion vectors. For more information, see Apache Iceberg external tables. This feature is in Preview.
BigQuery agent analytics is now generally available (GA) in the Google Agent Developer Kit. BigQuery agent analytics is an open source solution that lets you capture, analyze, and visualize multimodal agent interaction data at scale.
A known issue has been resolved where a materialized view refresh could expose could expose masked or filtered data from fine grained access control policies in error messages. No further action is needed.
You can now use EXPORT DATA
statements to reverse
ETL BigQuery data to AlloyDB. This feature is
in Preview.
Dataplex Universal Catalog is now called Knowledge Catalog. The API, client library, CLI, and Identity and Access Management (IAM) names remain unchanged. For more information about how Bigtable metadata interacts with Knowledge Catalog, see Manage data assets using Knowledge Catalog.
The following resource type is publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, SearchAllResources, and SearchAllIamPolicies APIs.
storagebatchoperations.googleapis.com/JobTo more strongly embrace the success and growing customer preference for OSS solutions, Cloud Composer is evolving to become Managed Service for Apache Airflow. This name change provides improved customer understanding of our portfolio while reinforcing our commitment to being the most open cloud ecosystem.
Airflow 3 is now generally available (GA) in Cloud Composer 3.
Cloud Composer remote Model Context Protocol (MCP) server is available in Preview.
You can use Cloud Composer remote Model Context Protocol (MCP) server to connect to Cloud Composer from AI applications such as Gemini CLI, ChatGPT, Claude, or in AI applications that you're developing. The Cloud Composer MCP server lets you manage Cloud Composer environments and get details about executed DAG runs and Airflow tasks.
The Cloud Run remote MCP server, which lets agents and AI applications deploy with Cloud Run, is in General Availability (GA).
Your trace data can be encrypted with a customer-managed encryption key (CMEK). To enable CMEK, set a default storage location and for that location, set a default Cloud Key Management Service key.
You can set these defaults for an organization, a folder, or a project. When set for an organization or folder, the settings apply to that resource and to its descendants. For more information, see Set defaults for observability buckets.
When you configure a default storage location, you control the location of your new observability buckets. These buckets store your trace data.
You can set a default storage location for an organization, a folder, or a project. When set for an organization or folder, the setting applies to that resource and to its descendants. For more information, see Set defaults for observability buckets.
You can view the physical location of your Compute Engine instances in a zone to understand your cluster topology. This information helps you reduce network latency between your compute instances. For more information, see View Compute Engine instance topology.
Generally available: You can control the physical location of the Compute Engine instances in a MIG by using workload policies. Workload policies help you to, for example, place your compute instances close together to minimize network latency when running AI or ML workloads. For more information, see About workload policies in MIGs.
Gemini Enterprise: Use Gemini Enterprise Admin and Gemini Enterprise User IAM roles
Use the Gemini Enterprise Admin and Gemini Enterprise User roles.
The Gemini Enterprise Admin and Gemini Enterprise User roles still map to the Discovery Engine admin and user roles, so existing customers do not need to make any changes.
For more information, see IAM roles and permissions.
Google Cloud CCaaS 4.21
We've released version 4.21 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Language selection support for direct calls
End-users making direct calls to agent phone numbers and agent extension numbers can select their language at the start of a call.
Administrators: The Add Number and Edit a Number dialogs, located at Settings > Call > Phone Numbers > Phone Number Management, have a new Set languages checkbox (when the Set as a direct number checkbox is selected). When you select the Set languages checkbox, the Select languages list appears.
For more information, see Create a direct phone number.
"Improved controls for predictive campaigns" is available without assistance from the Google account team
This feature was announced on March 24, 2026 but previously required the Google account team to enable it. You no longer need assistance from the Google account team to use this capability. For more information, see Predictive campaigns.
Virtual agents can transfer calls to a specific human agent
Virtual support agents can transfer calls directly to a specific human agent
using the agent ID or agent extension number. Include the agent_extension or
agent_id field in the transfer payload to direct the call to the correct
agent. Transferring directly to a human agent eliminates the intermediate step
of transferring to a queue before transferring to the agent. This can improve
wait times and customer satisfaction. For more information, see Virtual agent
to human agent
transfers.
The following issues were addressed in this release:
Fixed an issue where backslash characters in chat shortcuts and chat messages weren't displayed correctly, resulting in missing or empty message chat bubbles.
Fixed an issue where virtual agent chat transcripts didn't match the actual conversation.
Fixed an issue where call times in session metadata for virtual agent to human agent escalations were shorter than the actual call times.
Fixed an issue where agents were able to join a conference call despite receiving microphone permission errors.
Fixed an issue where direct inbound calls to Twilio numbers assigned at the user level continuously rang without reaching the agent.
Fixed an issue where chat transfers from auto-answer queues to manual-answer queues were incorrectly recorded as manual-to-manual in reporting.
Fixed an agent desktop issue where French (Canadian) translations were missing or incorrect during outbound calls.
Fixed an issue where the All Teams filter didn't block interactions with background elements, which could cause unintended end-user interactions with the UI.
Fixed an issue where missed call volumes didn't appear on the agent monitoring page.
Fixed an issue that occurred when the Display transfer history in agent adapter capability was enabled. After a virtual agent escalation, escalated queue names were shown in English instead of the correct target language.
Fixed an issue where virtual agent audio sessions ended after 15 minutes, causing calls to be escalated unexpectedly.
Fixed an issue where underscores within email addresses were incorrectly removed in CRM transcripts.
Fixed an issue where chat transcript PDFs weren't generated when real-time redaction was enabled and conversations included non-text message types such as inline buttons or content cards.
Fixed an issue where content cards sent by virtual agents during conversations were missing from the PDF chat transcript.
Fixed an issue where chat transcripts created through the API weren't appearing in agent conversations.
Fixed an issue where voicemails disappeared from the agent's queue and didn't appear in voicemail history or reports.
Fixed an issue where the agent adapter displayed Escalated Virtual Agent Call instead of IVR Callback after connecting during a callback.
Fixed an issue where chat disposition selections reset during wrap-up, particularly when Agent Assist was enabled.
Fixed an issue where custom fields in dialer list uploads worked only if the column headers were in all caps.
Fixed an issue where the email adapter didn't start up.
Google Distributed Cloud (software only) for bare metal 1.34.300-gke.59 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.34.300-gke.59 runs on Kubernetes v1.34.3-gke.400.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.34.300-gke.59:
RecentFailures field
in the cluster status. This change provides a centralized location for viewing
errors from both worker node pools and control plane nodes, improving the
troubleshooting and debugging experience.
kubectl top, Horizontal Pod Autoscaling (HPA), and Vertical Pod Autoscaling
(VPA)—could fail with TLS verification errors during CA rotation.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
There are no new releases in the Stable channel.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2369000 | cos-117-18613-534-62 | cos-117-18613-534-62 release notes |
| 1.31.14-gke.1790000 | cos-117-18613-534-62 | cos-117-18613-534-62 release notes |
| 1.32.13-gke.1318000 | cos-117-18613-534-62 | cos-117-18613-534-62 release notes |
| 1.35.3-gke.1389000 | cos-125-19216-220-106 | cos-125-19216-220-106 release notes |
There are no new releases in the Stable channel.
[Spotlight Feature] Unified and upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. In addition, we've upgraded the following Chronicle API resources from alpha to beta. This upgrade signals API Stability and functional completeness, enabling customer and partner adoption for production usage. We recommend customers use Chronicle API for a more robust, secure, and extensible experience.
For more information, see Chronicle API.
SentinelOneV2: Version 50.0
The following new job has been added:
CrowdStrike Falcon: Version 76.0
The following new job has been added:
ServiceNow: Version 64.0
Added support for disabling overflow settings and updated ticket processing and environment mapping logic in the following connector:
Zscaler: Version 14.0
Added the ability to provide IOCs using input parameters to the following actions:
Add To Blacklist
Add To Whitelist
Remove From Blacklist
Remove From Whitelist
Integration: Added support for OAuth authentication.
Mandiant Threat Intelligence: Version 17.0
Optimized execution performance and entity processing logic in the following action:
Migrate your Teams webhook to "Workflows"
Microsoft is retiring the legacy Office 365 Connectors in favor of Power Automate Workflows. Connectors will stop working by the end of April 2026. To ensure that your Looker alerts continue to deliver to Teams, you must replace your current webhook URL with a new "Workflow" URL. For more information, see the Migrate your Teams webhook to "Workflows" Best Practices notice.
Memorystore for Valkey has new node types that you can select for your instances. This feature is Generally Available.
When you activate Security Command Center Standard or Premium tier for a project, several services are automatically enabled and service-specific service agents are provisioned with the required IAM roles and permissions.
For more information, see Activate for a project when Security Command Center is not active in the organization.
]]>As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your AlloyDB for PostgreSQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
Support for deploying Cloud Run worker pools is now generally available (GA).
The Deployments page supports viewing recent application deployments to Google Kubernetes Engine (GKE) and Cloud Run.
Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) with VPC Network Peering is Generally Available.
Network Connectivity Center (NCC) support for Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) is available in Preview.
For more information, see Partner Cross-Cloud Interconnect for AWS overview. For available locations, see Choose a paired location.
Support for worker pools is in General Availability (GA).
As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your Cloud SQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your Cloud SQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
As of April 10, 2026, you can create, run, and edit Gemini Cloud Assist investigations only if you have a Premium Support contract. You can use Gemini Cloud Assist investigations to monitor and troubleshoot your Cloud SQL instance with AI assistance.
If you ran an investigation prior to April 10, 2026, then the results of the investigation continue to be available to you in the Google Cloud console.
A vulnerability (CVE-2025-54510) about AMD SEV-SNP guest memory integrity has been addressed. For more information, see the GCP-2026-019 security bulletin.
A vulnerability affecting AMD SEV-SNP Confidential VM instances was discovered and has been addressed. For more information, see the GCP-2026-021 security bulletin.
Generally available: Hyperdisk ML disks are supported by the following machine series:
For more information, see Hyperdisk ML overview.
A vulnerability affecting AMD SEV-SNP Confidential VM instances was discovered and has been addressed. For more information, see the GCP-2026-021 security bulletin.
Gemini Enterprise: New data stores (Public Preview)
The following data store are available in Gemini Enterprise:
These data stores are in Public Preview. For more information, see Connect a third-party data source.
Anthropic's Claude Opus 4.7
Claude Opus 4.7 is available in Model Garden.
Advance reporting dashboards prerelease notes
Here are the pre-release notes for updates to the advanced reporting dashboards. When we release these updates, we expect the new capabilities to be as shown here.
Added a Location filter to dashboards
The following dashboards now include a Location filter:
Real-time Channel Performance
Transfers
Queue Interval
Queue Performance dashboard improvements
We've made the following improvements to the Queue Performance - Calls and Queue Performance - Chats dashboards:
Added the dashboards to the Advanced Reporting Landing Page.
Added a Support Phone Number filter.
Renamed the Total Inbound Handled tile (calls only) to Total Queue Answered.
Added a Total Failed tile.
In the Queue Summary table, removed the Total Inbound Calls Handled column and added the following columns: Total Queue Interactions, Total Queue Entries, Total Queue Answered, Total Failed, and Total Transfers.
General dashboard updates
In the Performance Overview dashboard, we renamed the following tiles:
Queued Now to Current Queued Now
Max Queue Time to Current Max Queue Time
The Real-time Connected - Calls and Real-time Connected - Chats dashboards now include the following tiles:
Total Connected Calls (calls only)
Total Connected Chats (chats only)
Avg Current Sentiment Score
In the Queue Group Performance - All dashboard, we renamed the Lang filter to Language.
The following issues were addressed in this release:
Fixed an issue where the CSAT scores in the Performance Overview and CSAT dashboards didn't match.
Fixed an issue where the Queue Performance dashboard incorrectly totaled queue interactions, resulting in lower counts than expected.
Fixed an issue in the All Interactions - Chat dashboard where the Virtual Agents Chats table displayed the wrong chat.
Fixed an issue in the All Interactions - Chat dashboard where the
Failed Interaction column of the Chat Metric Detail table displayed
False for a failed interaction.
Fixed an issue where the Chat ID filter on the Queue Performance - Chats dashboard incorrectly displayed placeholder values.
Fixed an issue where scheduled exports of large queries were limited to 500 rows, causing reporting delays.
Fixed an issue in the Historical Data table of the Agent Activity dashboard where the Start Time and End Time columns indicated incorrect durations for agents belonging to multiple teams.
Fixed an issue where short abandoned calls and chats were incorrectly included in the Abandons dashboard, causing inaccurate reporting of queue abandon times.
Fixed an issue where dashboard windows didn't fully display their contents.
Network Connectivity Center (NCC) support for Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) is available in public preview.
Cloud Run Threat Detection monitors Cloud Run worker pools. For a list of resources that Cloud Run Threat Detection monitors, see Supported resources.
]]>