CVE-2026-2264 PUBLISHED

Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.

Assigner: GoogleCloud
Reserved: 09.02.2026 Published: 26.05.2026 Updated: 26.05.2026

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.

For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber
CVSS Score: 9.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Google Cloud
Product	Apigee-X
Versions	Default: unaffected affected from 0 to 1.14.4 (excl.) affected from 0 to 1.15.2 (excl.) affected from 0 to 1.16.1 (excl.)

Solutions

For Apigee: no action is required for customers using the Google Cloud version of Apigee. Vulnerability fixes have been applied to Apigee release 1-16-0-apigee-5 https://docs.cloud.google.com/apigee/docs/release-notes#January_20_2026 .

For Apigee Hybrid: you must upgrade to one of the following security patch releases:

for 1.14, upgrade to 1.14.4
for 1.15, upgrade to 1.15.2
for 1.16, upgrade to 1.16.1

Credits

Nikita Markevich reporter

References

https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE

Impacts

CAPEC-664 Server Side Request Forgery