CVE-2026-2264
Received Received - Intake
Server-Side Request Forgery in Google Cloud Apigee SetIntegrationRequest Policy

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GoogleCloud

Description
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-2264
EUVD
EUVD-2026-31865
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
google apigee 1-16-0-apigee-5
google apigee_hybrid From 1.14.4 (inc)
google apigee_hybrid From 1.15.2 (inc)
google apigee_hybrid From 1.16.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Google Cloud Apigee's SetIntegrationRequest policy allows attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. This could lead to unauthorized access to sensitive data or systems.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against data breaches.

However, the provided information does not explicitly detail the direct impact on compliance frameworks or specific regulatory requirements.


Can you explain this vulnerability to me?

CVE-2026-2264 is a vulnerability in the Google Cloud Apigee SetIntegrationRequest policy where the IntegrationRegion parameter lacks proper validation.

This flaw allows remote attackers to perform Server-Side Request Forgery (SSRF), enabling them to send crafted requests to arbitrary hosts.

By exploiting this, attackers can exfiltrate service account access tokens, potentially gaining unauthorized access.

Successful exploitation requires an administrator to have initially configured the API proxy insecurely.


How can this vulnerability impact me? :

This vulnerability can have a high impact as it allows attackers to perform SSRF attacks and steal service account tokens.

With stolen service account tokens, attackers may gain unauthorized access to cloud resources and services, potentially leading to data breaches or further compromise.

The severity of this vulnerability is rated as High, indicating significant risk if exploited.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability CVE-2026-2264 in Google Cloud Apigee's SetIntegrationRequest policy, users of Apigee Hybrid must upgrade to the appropriate security patch releases: version 1.14.4 for Apigee Hybrid 1.14, version 1.15.2 for 1.15, or version 1.16.1 for 1.16.

For users of the Google Cloud Apigee version, no action is required as fixes were already applied in release 1-16-0-apigee-5.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart