CVE-2025-13292 HIGH

CVE-2025-13292: Improper access control in Google Cloud Apigee-X allows cross-tenant Analytics modification and log data access.

Vendor Google Cloud
Product Apigee-X
Weakness CWE-269
Published December 6, 2025
Last update January 30, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/U:Clear

What the vulnerability does

01Description

A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in version 1-16-0-apigee-3. No user action is required for this.

Key dates

02Disclosure timeline

December 6, 2025 CVE published
January 30, 2026 Record updated