Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Lifecycle Timeline
3DescriptionCVE.org
An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints.
AnalysisAI
Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication.
Technical ContextAI
Google Cloud Application Integration is a platform service that manages API integrations and workflows between cloud services. The vulnerability affects internal API endpoints that should have been restricted to internal service-to-service communication but were accessible from external networks. The root cause is CWE-862 (Missing Authorization), where critical API endpoints lacked proper access control checks, allowing any remote attacker to invoke internal functionality designed only for trusted components.
RemediationAI
Apply the Google Cloud platform update released on 2026-01-23 or later to remediate this vulnerability. As these are platform-managed APIs, customers should verify their Google Cloud projects are running on the patched platform version through the Cloud Console. If immediate patching is not possible, implement network-level controls to restrict access to Application Integration API endpoints to only authorized source IPs, though this may impact legitimate integrations. Monitor Application Integration audit logs for suspicious API calls to internal endpoints that should not be externally accessible.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30552
GHSA-5m89-9vmq-75r8