gcp Google Cloud release notes · May 20, 2026

Apigee X Security Bulletin: SSRF Vulnerability

securitygcpsecurity-advisory

security

A security bulletin has been published for Apigee X detailing a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-2264). The vulnerability arises from insufficient validation of the IntegrationRegion parameter in the SetIntegrationRequest policy, potentially allowing service account token exfiltration. This impacts users who can manipulate flow variables controlling the IntegrationRegion parameter.

Security (1) ›

Apigee X On May 20, 2026, we published a security bulletin for Apigee.

On May 20, 2026, we published a security bulletin for Apigee. A vulnerability was found in Apigee ( CVE-2026-2264 ) where the IntegrationRegion parameter in the SetIntegrationRequest policy lacks validation, allowing for Server-Side Request Forgery (SSRF) and service account token exfiltration. The issue arises when an attacker can control a flow variable used for IntegrationRegion , leading to requests being sent to an attacker-controlled host with the service account token. Security bulletin published: GCP-2026-034

CVE-2026-2264 GCP-2026-034

Read the original announcement →

https://docs.cloud.google.com/release-notes#May_20_2026