GatewayToHeaven Finding a Cross-Tenant Vulnerability in GCP'...#254
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://omeramiad.com/posts/gatewaytoheaven-gcp-cross-tenant-vulnerability/ Content Categories: Based on the analysis, this content was categorized under "GCP Pentesting -> Post Exploitation (Cloud Dataflow / Pub-Sub / Storage) and/or GCP -> Privilege Escalation (metadata token theft + IAM permission enumeration); add a technique note under GCP metadata SSRF about bypassing mitigations via header-stripping in gateways/proxies". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Post: “GatewayToHeaven: Finding a Cross-Tenant Vulnerability in GCP's Apigee” (published 2026-01-28). The author describes a multi-step exploit chain in Google Cloud Apigee (managed SaaS) that resulted in cross-tenant read/write access to Apigee analytics/logging artifacts across unrelated customers, including logs containing plaintext end-user access tokens. The issue was assigned CVE-2025-13292.
High-level outcome (why this matters)<...
🔧 Technical Details
SSRF to cloud metadata via configurable API gateways/proxies: If a gateway/proxy can be configured to forward requests to arbitrary backends, pointing the backend to
169.254.169.254can expose the workload’s metadata server and yield short-lived service-account tokens. If the platform injects SSRF-mitigation headers (e.g.,X-Forwarded-Forcausing metadata rejection), look for request-mutation stages/policies (e.g., ApigeeAssignMessage) that can remove/overwrite those headers before forwarding to the backend.Cloud IAM permission discovery after token theft: After obtaining a service-account token, systematically enumerate effective permissions using automated tooling (e.g., gcpwn) to find high-leverage primitives like disk snapshotting, bucket read/write, and Pub/Sub publishing that enable deeper compromise and pivoting.
GCP disk snapshot exfiltration for ...
🤖 Agent Actions
Updated
gcp-post-exploitation/README.mdwith a detailed Apigee-to-Dataflow cross-tenant exploitation chain: metadata SSRF bypass via AssignMessage header stripping, permission discovery with gcpwn, snapshot exfil for managed disks, Dataflow JAR replacement and GCS-based exfil, Pub/Sub-driven autoscaling trigger, and the shared bucket path flaw enabling cross-tenant analytics access. Added references to the source blog and Apigee AssignMessage policy docs.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.