CVE-2026-2264

Vulnerability

The vulnerability resides in the Google Cloud Apigee SetIntegrationRequest policy. When an administrator configures an API proxy with an insecure configuration, remote attackers can exploit this policy to perform Server-Side Request Forgery (SSRF). The affected versions include all Apigee deployments using the SetIntegrationRequest policy under such insecure settings. [1]

Exploitation

An attacker must have network access to the Apigee API proxy endpoint. The prerequisite is that an administrator has established an insecure configuration of the API proxy, which allows the attacker to craft requests that trigger the SSRF. The attacker sends specially crafted requests to the vulnerable policy, causing the Apigee runtime to make requests to internal resources, thereby exfiltrating service account access tokens. [1]

Impact

Successful exploitation allows the attacker to exfiltrate service account access tokens. With these tokens, the attacker can gain unauthorized access to Google Cloud resources that the service account has permissions to, potentially leading to data disclosure, privilege escalation, or further lateral movement within the cloud environment. [1]

Mitigation

Google has published a security bulletin [1] detailing the vulnerability and providing mitigation steps. Users should review the bulletin and apply the recommended configuration changes to ensure API proxies are not set up with insecure configurations. If a patch is available, it should be applied. As of the publication date (2026-05-26), users are advised to follow the guidance in [1] to remediate the issue.