Search criteria

1 vulnerability found for Internal Integration Platform APIs by Google Cloud

CVE-2026-2031 (GCVE-0-2026-2031)

Vulnerability from cvelistv5 – Published: 2026-05-15 15:38 – Updated: 2026-05-15 16:11
VLAI?
Title
Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution.
Summary
An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints.
CWE
Assigner
Impacted products
Vendor Product Version
Google Cloud Internal Integration Platform APIs Affected: 0 , < 2026-01-23 (date)
Create a notification for this product.
Credits
Arvin Shivram
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2031",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-15T16:11:37.669265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T16:11:44.918Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Internal Integration Platform APIs",
          "vendor": "Google Cloud",
          "versions": [
            {
              "lessThan": "2026-01-23",
              "status": "affected",
              "version": "0",
              "versionType": "date"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Arvin Shivram"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eAn Improper Access Control\u0026nbsp;vulnerability in\u0026nbsp;\u003cspan\u003eseveral internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows\u0026nbsp;\u003c/span\u003e\u003cspan\u003ea remote, unauthenticated attacker\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eto\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003edisclose sensitive internal information and execute arbitrary code\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eusing\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003especially crafted HTTP requests to inadvertently exposed internal API endpoints.\u003c/span\u003e\u003c/div\u003e"
            }
          ],
          "value": "An Improper Access Control\u00a0vulnerability in\u00a0several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows\u00a0a remote, unauthenticated attacker\u00a0to\u00a0disclose sensitive internal information and execute arbitrary code\u00a0using\u00a0specially crafted HTTP requests to inadvertently exposed internal API endpoints."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T15:38:24.607Z",
        "orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c",
        "shortName": "GoogleCloud"
      },
      "references": [
        {
          "url": "https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#May_07_2026"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThese APIs were intended for internal Google use and access has been restricted\u0026nbsp;to only authenticated Google employees.\u003c/p\u003e\u003cp\u003eNo action is required from external users.\u003c/p\u003e"
            }
          ],
          "value": "These APIs were intended for internal Google use and access has been restricted\u00a0to only authenticated Google employees.\n\n\n\nNo action is required from external users."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution.",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c",
    "assignerShortName": "GoogleCloud",
    "cveId": "CVE-2026-2031",
    "datePublished": "2026-05-15T15:38:24.607Z",
    "dateReserved": "2026-02-05T22:49:59.398Z",
    "dateUpdated": "2026-05-15T16:11:44.918Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}