Skip to main content

Google Cloud Apigee CVE-2026-2264

| EUVDEUVD-2026-31865 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-26 GoogleCloud GHSA-vfx9-pmh4-cqpq
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:25 vuln.today
Patch available
May 26, 2026 - 18:02 EUVD
CVSS changed
May 26, 2026 - 17:22 NVD
9.2 (CRITICAL)
CVE Published
May 26, 2026 - 16:30 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.

For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.

AnalysisAI

Server-Side Request Forgery in Google Cloud Apigee-X's SetIntegrationRequest policy enables remote attackers to coerce the API gateway into making attacker-controlled requests and exfiltrate service account access tokens from the underlying GCP metadata service. The flaw affects Apigee-X versions prior to 1.14.4, 1.15.2, and 1.16.1, but exploitation requires an administrator to have first deployed an API proxy with an insecure configuration. With no public exploit identified and a low EPSS score of 0.14%, the issue carries CVSS 9.2 severity primarily due to the high confidentiality and integrity impact on cloud credentials.

Technical ContextAI

Apigee-X is Google Cloud's managed API gateway platform, and the SetIntegrationRequest policy is used within API proxy flows to construct outbound integration requests to backend services. The vulnerability is a classic CWE-918 Server-Side Request Forgery, where the policy can be manipulated to issue requests to unintended destinations - most notably the GCP instance metadata service, which returns OAuth access tokens for the service account bound to the Apigee runtime. Because Apigee proxies execute server-side with privileged network position and identity, an SSRF here translates directly into cloud identity compromise. The CPE cpe:2.3:a:google_cloud:apigee-x covers the managed Apigee-X offering across the affected version trains 1.14.x, 1.15.x, and 1.16.x.

RemediationAI

Upgrade Apigee-X to 1.14.4, 1.15.2, or 1.16.1 (or later) depending on the version train in use, as Vendor-released patches are available per Google's security bulletin GCP-2026-034 (https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034). Because Apigee-X is managed, much of the runtime patching is handled by Google, but customers should confirm their runtime instance version and apply any required org-level updates. As a compensating control until patched, audit all API proxies that use the SetIntegrationRequest policy and remove insecure configurations - specifically any policy that allows the request URL, host, or destination to be influenced by client-controlled inputs without strict allowlisting; replace dynamic destinations with hardcoded backend targets, which trades some flexibility for safety. Additionally, restrict the IAM privileges of the service account bound to the Apigee runtime to the minimum required, so that even if a token is exfiltrated its blast radius is constrained.

Share

CVE-2026-2264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy