Description
An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints.
Published: 2026-05-15
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper access control flaw exists in several internal API endpoints of Google Cloud Application Integration that allow a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code via specially crafted HTTP requests. The weakness is identified as CWE-862, and the vulnerability carries a maximum CVSS score of 10.

Affected Systems

The affected vendor is Google Cloud, specifically the Internal Integration Platform APIs, with the issue present in versions released prior to 2026‑01‑23. No specific patch versions are listed, and the vulnerability is documented as a restriction to authenticated Google employees only.

Risk and Exploitability

The CVSS score of 10 signals the maximum potential impact, and the EPSS score is currently unavailable, suggesting no high exploitation probability has been published. Because the vulnerability is exploitable from the internet via unauthenticated HTTP requests, the risk is high for systems that inadvertently expose these internal endpoints. The lack of a KEV designation means it has not yet been reported as a known exploited vulnerability, but the severity alone warrants cautious monitoring.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Remediation

Vendor Solution

These APIs were intended for internal Google use and access has been restricted to only authenticated Google employees. No action is required from external users.

OpenCVE Recommended Actions

  • No action required from external users.
  • Confirm that the internal Google Cloud Integration Platform APIs are not exposed to the internet.
  • If any exposure is found, report the issue to Google Cloud Security via the appropriate vulnerability reporting channel.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints.
Title Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution.
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published:

Updated: 2026-05-15T16:11:44.918Z

Reserved: 2026-02-05T22:49:59.398Z

Link: CVE-2026-2031

cve-icon Vulnrichment

Updated: 2026-05-15T16:11:40.824Z

cve-icon NVD

Status : Received

Published: 2026-05-15T16:16:14.027

Modified: 2026-05-15T16:16:14.027

Link: CVE-2026-2031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:00:05Z

Weaknesses