A flaw in the SetIntegrationRequest policy of Google Cloud Apigee permits attackers to execute server‑side requests and to harvest service account access tokens. The vulnerability is a classic instance of CWE‑918, allowing an attacker to provoke the Apigee runtime to reach internal or external destinations that it otherwise could not. The result is the compromise of authentication credentials, potentially exposing sensitive data or enabling further internal attacks.

The issue surfaces in Google Cloud Apigee‑X, specifically within the Google Cloud‑managed version and the Hybrid deployment model. For the Google Cloud‑managed Apigee, the vulnerability was fixed in release 1‑16‑0‑apigee‑5 and no action is required for customers already on or above that version. In contrast, Hybrid customers must upgrade to one of the security patch releases: 1.14.4 for the 1.14 platform, 1.15.2 for 1.15, or 1.16.1 for 1.16.

The CVSS score of 9.2 classifies this flaw as critical, and while the EPSS score is unavailable, the high base score and the potential to expose credentials highlight a significant threat. It does not appear in the CISA KEV catalog, but its severity warrants immediate attention. Exploitation requires an administrator to establish an insecure configuration of the API proxy, meaning the attack vector is likely internal with privileged access or a configuration error. Once this condition is met, the attacker can send crafted requests that reach arbitrary network destinations and pull back authentication tokens, with no additional groundwork beyond the misconfiguration.