CVE-2026-2264
Awaiting Analysis Awaiting Analysis - Queue
Server-Side Request Forgery in Google Cloud Apigee SetIntegrationRequest Policy

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GoogleCloud

Description
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2264
EUVD
EUVD-2026-31865
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
google apigee 1-16-0-apigee-5
google apigee_hybrid From 1.14.4 (inc)
google apigee_hybrid From 1.15.2 (inc)
google apigee_hybrid From 1.16.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2264 is a vulnerability in the Google Cloud Apigee SetIntegrationRequest policy where the IntegrationRegion parameter lacks proper validation.

This flaw allows remote attackers to perform Server-Side Request Forgery (SSRF), enabling them to send crafted requests to arbitrary hosts.

By exploiting this, attackers can exfiltrate service account access tokens, potentially gaining unauthorized access.

Successful exploitation requires an administrator to have initially configured the API proxy insecurely.

Impact Analysis

This vulnerability can have a high impact as it allows attackers to perform SSRF attacks and steal service account tokens.

With stolen service account tokens, attackers may gain unauthorized access to cloud resources and services, potentially leading to data breaches or further compromise.

The severity of this vulnerability is rated as High, indicating significant risk if exploited.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-2264 in Google Cloud Apigee's SetIntegrationRequest policy, users of Apigee Hybrid must upgrade to the appropriate security patch releases: version 1.14.4 for Apigee Hybrid 1.14, version 1.15.2 for 1.15, or version 1.16.1 for 1.16.

For users of the Google Cloud Apigee version, no action is required as fixes were already applied in release 1-16-0-apigee-5.

Compliance Impact

The vulnerability in Google Cloud Apigee's SetIntegrationRequest policy allows attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. This could lead to unauthorized access to sensitive data or systems.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against data breaches.

However, the provided information does not explicitly detail the direct impact on compliance frameworks or specific regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart