Server-Side Request Forgery in Google Cloud Apigee by Google
CVE-2026-2264

9.2CRITICAL

Key Information:

Vendor: Google Cloud
Status: Apigee-x
Vendor: CVE Published:; 26 May 2026

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2026-2264?

A vulnerability in Google Cloud Apigee's SetIntegrationRequest policy permits remote attackers to exploit Server-Side Request Forgery (SSRF), enabling the potential exfiltration of service account access tokens. Exploitation requires an insecure API proxy configuration to be set up by an administrator, thereby exposing sensitive data to attackers. Proper configuration and security measures must be implemented to safeguard against this vulnerability.

Affected Version(s)

Apigee-X 0 < 1.14.4

Apigee-X 0 < 1.15.2

Apigee-X 0 < 1.16.1

References

https://docs.cloud.google.com/apigee/docs/security-bullet...

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Feb 9, 2026

Credit

Nikita Markevich

CVE-2026-2264 Data

JSON