CRITICALCVE-2026-2264Published Modified CNA GoogleCloud
CVE-2026-2264: Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
Metrics
- CVSS v4.0
- 9.2
- Severity
- CRITICAL
- Fixed in
- 1.14.4
- Affected Products
- 1
Fix available
1.14.41.15.21.16.1
Affected packages
- Google Cloud / Apigee-X< 1.14.4 (from 0) · < 1.15.2 (from 0) · < 1.16.1 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:AmberReferences