CVE-2026-2264: CWE-918 Server-Side Request Forgery (SSRF) in Google Cloud Apigee-X
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
AI Analysis
Technical Summary
This vulnerability in Google Cloud Apigee-X involves the SetIntegrationRequest policy, which can be manipulated via SSRF to leak service account tokens. Exploitation depends on an insecure API proxy configuration established by an administrator. The vulnerability is tracked as CVE-2026-2264 with a CVSS 4.0 score of 9.2, reflecting critical impact. Since Apigee-X is a cloud service, Google Cloud is responsible for patching and mitigating this issue server-side.
Potential Impact
Successful exploitation allows remote attackers to perform SSRF attacks that can exfiltrate sensitive service account access tokens, potentially leading to unauthorized access to Google Cloud resources. The impact is critical due to the high CVSS score and the nature of token exfiltration. However, exploitation requires an insecure configuration by an administrator, limiting the attack vector to misconfigured environments.
Mitigation Recommendations
As Apigee-X is a cloud-hosted service, Google Cloud manages remediation and patching server-side. Users should verify the vendor advisory for the latest status and ensure API proxies are securely configured to prevent exploitation. No specific patch links are provided, but the patch is available and managed by Google Cloud. Administrators should avoid insecure API proxy configurations to mitigate risk.
CVE-2026-2264: CWE-918 Server-Side Request Forgery (SSRF) in Google Cloud Apigee-X
Description
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
CVSS v4.0
Score 9.2critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Google Cloud Apigee-X involves the SetIntegrationRequest policy, which can be manipulated via SSRF to leak service account tokens. Exploitation depends on an insecure API proxy configuration established by an administrator. The vulnerability is tracked as CVE-2026-2264 with a CVSS 4.0 score of 9.2, reflecting critical impact. Since Apigee-X is a cloud service, Google Cloud is responsible for patching and mitigating this issue server-side.
Potential Impact
Successful exploitation allows remote attackers to perform SSRF attacks that can exfiltrate sensitive service account access tokens, potentially leading to unauthorized access to Google Cloud resources. The impact is critical due to the high CVSS score and the nature of token exfiltration. However, exploitation requires an insecure configuration by an administrator, limiting the attack vector to misconfigured environments.
Mitigation Recommendations
As Apigee-X is a cloud-hosted service, Google Cloud manages remediation and patching server-side. Users should verify the vendor advisory for the latest status and ensure API proxies are securely configured to prevent exploitation. No specific patch links are provided, but the patch is available and managed by Google Cloud. Administrators should avoid insecure API proxy configurations to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GoogleCloud
- Date Reserved
- 2026-02-09T19:20:21.637Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a15d22b891d628fdc6007d9
Added to database: 5/26/2026, 5:02:35 PM
Last enriched: 5/26/2026, 5:33:30 PM
Last updated: 5/26/2026, 9:49:24 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.