An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints.
The vulnerability (CWE-862 — missing required authorization) consists of several internal API endpoints of the Google Cloud Application Integration service being accidentally exposed without proper authentication mechanisms and access controls. An attacker can send specially crafted HTTP requests to these endpoints without any credentials. As a result, it is possible to both disclose sensitive internal data and execute arbitrary code on the server side (RCE).
An unauthenticated remote attacker can execute arbitrary code on the server (RCE) and gain access to sensitive internal information, which may lead to complete takeover of the service and associated resources.
The vulnerability was fixed by the vendor (Google) as part of an update deployed on 2026-01-23. As a managed service (SaaS/PaaS), the patch is applied by Google automatically on the infrastructure side. Users should verify in the vendor's documentation (release notes) whether their environment is using the updated version and apply additional API access controls in accordance with Google Cloud recommendations.
Google Cloud Application Integration in versions published before 2026-01-23
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear