CVE-2026-2264 affects the SetIntegrationRequest policy in Apigee X, where the IntegrationRegion parameter is not validated. An attacker can supply an attacker-controlled host, causing Apigee to issue outbound requests that carry the service account token — effectively enabling credential theft and lateral movement within GCP. Google published bulletin GCP-2026-034 on May 20, 2026. The severity is high because service account tokens can be used to access other GCP resources beyond the API gateway itself. Teams running Apigee X integrations should review the bulletin immediately, assess whether SetIntegrationRequest policies accept user-influenced input for the IntegrationRegion field, and apply any mitigations or patches Google specifies. This class of SSRF-via-misconfigured-parameter vulnerability is particularly dangerous in cloud-native API management layers where service accounts often carry broad IAM permissions.