CVE-2026-12879 PUBLISHED

Cross-Tenant Data Exfiltration in Apigee via BigQuery Confused Deputy

Assigner: GoogleCloud
Reserved: 22.06.2026 Published: 09.07.2026 Updated: 09.07.2026

An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform allows an authenticated attacker to exfiltrate cross-tenant data.

This vulnerability was patched on 12 June 2026 on the Apigee Servers, and no customer action is needed.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/U:Clear
CVSS Score: 5.9

Product Status

Vendor Google Cloud
Product Apigee
Versions Default: unaffected
  • affected from 0 to 2026-06-12 (excl.)

Credits

  • Moshe Bernstein with Tenable reporter

References

Problem Types

  • CWE-610 Externally Controlled Reference to a Resource in Another Sphere CWE
  • CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') CWE

Impacts

  • CAPEC-465 Transparent Proxy Abuse