CVE-2026-2264 affects the SetIntegrationRequest policy in Apigee X, where the IntegrationRegion parameter is not validated before use in outbound requests. An attacker who can influence this parameter can redirect requests to an attacker-controlled host and capture the service account tokens attached to those requests. Google released bulletin GCP-2026-034 on May 20, 2026 alongside a patch. Service account token exfiltration can allow privilege escalation or lateral movement within a GCP project, making this a high-severity finding for any organization running Apigee X integration flows. Teams using the SetIntegrationRequest policy should apply the patch immediately and audit recent integration logs for unexpected outbound requests to external hosts.