CVE-2026-2264 - Vulnerability Details - OpenCVE

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034

History

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
Title		Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.
Weaknesses		CWE-918
References		https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published: 2026-05-26T16:30:45.810Z

Updated: 2026-05-26T16:30:45.810Z

Reserved: 2026-02-09T19:20:21.637Z

Link: CVE-2026-2264

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T17:16:30.760

Modified: 2026-05-26T17:16:30.760

Link: CVE-2026-2264

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2264", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-02-09T19:20:21.637Z", "datePublished": "2026-05-26T16:30:45.810Z", "dateUpdated": "2026-05-26T16:30:45.810Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-05-26T16:30:45.810Z"}, "title": "Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"vendor": "Google Cloud", "product": "Apigee-X", "versions": [{"status": "affected", "version": "0", "lessThan": "1.14.4", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "1.15.2", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "1.16.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Google Cloud Apigee\u00a0SetIntegrationRequest\u00a0policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.\n\nFor successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>A vulnerability in the Google Cloud Apigee </span><code>SetIntegrationRequest</code> <span>policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.<br></span><br><span>For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.</span><br>"}]}], "references": [{"url": "https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber"}}], "solutions": [{"lang": "en", "value": "For Apigee:\u00a0no action is required for customers using the Google Cloud version of Apigee. Vulnerability fixes have been applied to Apigee release\u00a0 1-16-0-apigee-5 https://docs.cloud.google.com/apigee/docs/release-notes#January_20_2026 .\n\n\n\nFor\u00a0Apigee Hybrid:\u00a0you must upgrade to one of the following security patch releases:\n\n\n\n\n\n * for 1.14, upgrade to 1.14.4\n * for 1.15, upgrade to 1.15.2\n * for 1.16, upgrade to 1.16.1", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><span>For Apigee: </span><span>no action is required for customers using the Google Cloud version of Apigee. Vulnerability fixes have been applied to Apigee release</span><span> </span><a href=\"https://docs.cloud.google.com/apigee/docs/release-notes#January_20_2026\">1-16-0-apigee-5</a><span>.</span></p><p><span>For </span><span>Apigee Hybrid: </span><span>you must upgrade to one of the following security patch releases:</span></p><p></p><ul><li><span>for 1.14, upgrade to 1.14.4</span></li><li><span>for 1.15, upgrade to 1.15.2</span></li><li><span>for 1.16, upgrade to 1.16.1</span></li></ul><p></p>"}]}], "credits": [{"lang": "en", "value": "Nikita Markevich", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Google Cloud Apigee\u00a0SetIntegrationRequest\u00a0policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.\n\nFor successful exploitation, an administrator must initially establish an insecure configuration of the API proxy."}], "id": "CVE-2026-2264", "lastModified": "2026-05-26T17:16:30.760", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}, "published": "2026-05-26T17:16:30.760", "references": [{"source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "url": "https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034"}], "sourceIdentifier": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary"}]}