GCP-2026-010 — Published: 2026-02-13Description Description Severity Notes A vulnerability was identified in the Apigee platform that could have allowed a…

Published: 2026-02-13Description Description Severity Notes A vulnerability was identified in the Apigee platform that could have allowed a malicious actor with administrative or developer-level permissions in their own Apigee environment to elevate privileges and access cross-tenant data. Specifically, a vulnerability in Apigee’s sandboxing technology allowed the use of a link-local endpoint to access service account tokens (P4SA) within a customer tenant project. By leveraging this identity, an attacker could theoretically read analytics metadata or tamper with internal monitoring records across other Apigee organizations (tenants). What should I do? Take the following actions for each affected product: Apigee No action is required for customers using the Google Cloud version of Apigee. Vulnerability fixes have been applied to Apigee release 1-16-0-apigee-3. Apigee hybrid To resolve this vulnerability, customers must enable the Pub/Sub-based analytics pipeline and upgrade to a supported hybrid version: Feature configuration Minimum remediated version Standard Apigee hybrid v1.14.0 or higher With Monetization (Mint) enabled v1.14.3, v1.15.1, or v1.16.0 High CVE-2025-13292