Skip to main content

Application Integration CVE-2026-2031

| EUVDEUVD-2026-30552 CRITICAL
Missing Authorization (CWE-862)
2026-05-15 GoogleCloud GHSA-5m89-9vmq-75r8
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 17:01 EUVD
Analysis Generated
May 15, 2026 - 16:30 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
10.0 (CRITICAL)

DescriptionCVE.org

An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints.

AnalysisAI

Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication.

Technical ContextAI

Google Cloud Application Integration is a platform service that manages API integrations and workflows between cloud services. The vulnerability affects internal API endpoints that should have been restricted to internal service-to-service communication but were accessible from external networks. The root cause is CWE-862 (Missing Authorization), where critical API endpoints lacked proper access control checks, allowing any remote attacker to invoke internal functionality designed only for trusted components.

RemediationAI

Apply the Google Cloud platform update released on 2026-01-23 or later to remediate this vulnerability. As these are platform-managed APIs, customers should verify their Google Cloud projects are running on the patched platform version through the Cloud Console. If immediate patching is not possible, implement network-level controls to restrict access to Application Integration API endpoints to only authorized source IPs, though this may impact legitimate integrations. Monitor Application Integration audit logs for suspicious API calls to internal endpoints that should not be externally accessible.

Share

CVE-2026-2031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy