How to fix CVE-2025-13426?

Within 24 hours: Audit all Apigee policies to identify active JavaCallout implementations and restrict administrative access to policy management. Within 7 days: Implement network segmentation to isolate Apigee instances and disable JavaCallout policies if operationally feasible, or apply strict input validation and monitoring. Within 30 days: Upgrade all Apigee instances to patched versions (Hybrid 1.11.2+, 1.12.4+, 1.13.3+, 1.14.1+, OPDK 5202+, or 5300+).

Is Java affected by CVE-2025-13426?

Google Apigee's JavaCallout policy contains a critical vulnerability (CVE-2025-13426) that could allow attackers to execute arbitrary code on affected API gateway instances, potentially compromising sensitive data and backend systems.

CVE-2025-13426

EUVD-2025-201493 HIGH

2025-12-05 f45cbf4e-4146-4068-b7e1-655ffc2c548c

8.7

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201493

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.7

Description

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

Analysis

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution.

It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems.

The Apigee hybrid versions below have all been updated to protect from this vulnerability:

Hybrid_1.11.2+
Hybrid_1.12.4+
Hybrid_1.13.3+
Hybrid_1.14.1+
OPDK_5202+
OPDK_5300+

Technical Context

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Improper Control of Dynamically-Managed Code Resources (CWE-913).

Remediation

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +44

POC: 0

CVE-2025-13426 vulnerability details – vuln.today

Back

CVE-2025-13426

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Share

CVE-2025-13426

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Share

External POC / Exploit Code