Apigee - Release notes

April 09, 2026

2026-04-09T00:00:00-07:00

Apigee X

Change

Relaxed limitation on header name for Client IP resolution

The client IP can now be resolved from any header, not just the X-Forwarded-For header. The most common headers are X-Forwarded-For or True-Client-Ip.

For more information, see Client IP resolution.

April 06, 2026

2026-04-06T00:00:00-07:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

Agent Registry integration support for MCP metadata (Preview)

API hub now includes a managed integration with Agent Registry to automatically synchronize Model Context Protocol (MCP) servers and tools metadata. This feature enables AI agents to discover and interact with the APIs registered in your hub without manual configuration.

This feature is in Public Preview. For more information, see Manage Agent Registry integration.

Apigee X

Fixed

Correction to April 2, 2026 release note: Deployment disruption for Apigee Drupal Portal via Google Cloud Marketplace

For the deployment disruption announced on April 2, the announcement noted that deployment and management functionality using Google Cloud Deployment Manager would definitely be unavailable during the transition. This statement is incorrect. The functionality might be unavailable.

See the Known issue for more information.

Change

On April 6th, 2026, we released an updated version of Apigee.

This change introduces the new apigee.coreServiceAgent IAM role for Apigee. Effective immediately, use apigee.coreServiceAgent instead of the apigee.serviceAgent role.

For information on the new role, see apigee.coreServiceAgent.

April 02, 2026

2026-04-02T00:00:00-07:00

Apigee X

Breaking

Deployment disruption for Apigee Drupal Portal via Google Cloud Marketplace

Google Cloud Deployment Manager was deprecated as of March 31, 2026. We are currently transitioning the Apigee Drupal Portal Marketplace solution to use Infrastructure Manager. During this transition period, some deployment and management functionalities are unavailable.

Impact:

New Deployments: Starting April 1, 2026, attempting to deploy a new Apigee Drupal Portal instance using the "Deploy" button on the Google Cloud Marketplace will fail.
Existing Deployments: Your underlying resources (such as VMs and Cloud SQL databases) are unaffected and will continue to run normally. However, you can no longer use Deployment Manager-based features to manage the deployment via the Marketplace UI or the gcloud deployment-manager tool.

Workaround & Resolution: Any configuration changes or management tasks must be performed directly on the individual Google Cloud resources (Compute Engine, Cloud SQL, etc.) rather than through the Marketplace UI.

We are actively working to release the updated Infrastructure Manager-based solution.

March 31, 2026

2026-03-31T00:00:00-07:00

Apigee X

Announcement

On March 31st, 2026, we released an updated version of Apigee.

Feature

General Availability (GA) launch of Model Context Protocol (MCP) in Apigee

With this release, Model Context Protocol (MCP) in Apigee is generally available, enabling you to expose your Apigee APIs as MCP tools to agentic applications.

Any MCP client that supports remote MCP endpoints over HTTP/S can access these tools. Because the endpoints are managed, you don't need to install or manage local MCP servers, remote MCP servers, or additional infrastructure to enable agentic applications to access your services.

MCP in Apigee is available for Subscription, Pay-as-you-go, and Evaluation organizations, including organizations with Data Residency and VPC Service Controls enabled.

For more information on using MCP in Apigee, see MCP in Apigee overview.

Feature

Enhanced OAS server URL path handling for MCP in Apigee

With this feature enhancement, your OpenAPI specification (OAS) configurations behave exactly as defined in the OAS standard, automatically combining the server.url base path value with individual operation paths.

For example, a server URL ofhttps://example.com/api/v1 paired with a path of /users will now correctly route to https://example.com/api/v1/users without additional manual intervention.

If you previously prepended base paths to your OAS paths entries, remove the path segment from your servers.url field to prevent duplication. For example, change https://example.com/api/v1 to https://example.com.

For more information, see Create an OpenAPI 3.0 specification.

Change

Updated MCP server target endpoint for MCP Discovery Proxies

With the GA launch of Model Context Protocol (MCP) in Apigee, the structure of the MCP server target endpoint for MCP Discover Proxies has changed to ORG_NAME.mcp.apigee.internal.

Private preview customers using the previous format (mcp.apigee.internal) are encouraged to update their proxies to reflect the new structure. Existing endpoints using the old format will continue to work, but new endpoints will use the new structure.

Issue

Known Issue 496552286: Deployment fails for MCP Discovery Proxies in regions with capacity limitations.

For more information, see Apigee known issues.

March 26, 2026

2026-03-26T00:00:00-07:00

Apigee X

Announcement

On March 26th, 2026, we released an updated version of Apigee (1-17-0-apigee-6).

Security

Bug ID	Description
495897297, 495909767	Security fix for Apigee infrastructure. This addresses the following vulnerabilities: CVE-2026-33210 CVE-2026-25679 CVE-2026-27139 CVE-2026-27142 2026-33186

Bug ID

Description

495897297, 495909767

Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

Fixed

Bug ID	Description
N/A	Updates to infrastructure and libraries.

March 19, 2026

2026-03-19T00:00:00-07:00

Apigee X

Announcement

On March 19th, 2026, we began maintenance updates of Apigee instances configured for maintenance windows.

If you set a preferred window for maintenance for your instance, and your instance version is below 1-16-0-apigee-6, your instance will be updated to 1-16-0-apigee-6 within the next seven to 21 days. A notification containing the expected date of upgrade will be sent within the next two business days.

For more information on participating in scheduled maintenance windows, see Maintenance overview and Manage Apigee instance maintenance windows.

March 17, 2026

2026-03-17T00:00:00-07:00

Apigee Advanced API Security

Announcement

On March 17, 2026 we released an updated version of Advanced API Security abuse detection

Feature

VPC-SC support in abuse detection

This release includes full support in Advanced API Security abuse detection for VPC-SC customers. This includes support for VPC-SC with the Advanced Anomaly Detection ML model used for abuse detection, as well as detection exclusion lists.

For usage information, see Abuse detection in the documentation.

Apigee X

Announcement

On March 17th, 2026, we released an updated version of Apigee (1-17-0-apigee-5).

Fixed

Bug ID	Description
N/A	Updates to infrastructure and libraries.

March 13, 2026

2026-03-13T00:00:00-07:00

Apigee UI

Announcement

On March 13, 2026, we released an updated version of the Apigee UI.

Feature

Manage environment-scoped Key Value Maps in the Apigee UI

You can now view, add, edit, and delete environment-scoped Key Value Map (KVM) entries in the Apigee UI. For more information, see Using key value maps.

March 12, 2026

2026-03-12T00:00:00-07:00

Apigee hybrid

v1.16.0

Fixed

Fixed in this release

Bug ID	Description
490308770	Fixed malformed `http_proxy` and `https_proxy` strings in Helm templates that occurred when using authenticated outbound proxy configurations.
488417252	Fixed an issue where the Apigee Operator guardrails pod failed to run on EKS with Workload Identity Federation (WIF) by ensuring it runs as the federated principal rather than the default service account.
485526221	Removed the deprecated `apigee-stackdriver-logging-agent` image from the `apigee-pull-push.sh` tool, resolving image pull failures during automated deployments.
484405364	Helm chart images with the `1.16.0-hotfix.1` tag are available for download.
482209901	Added the `watch` permission to the `apigee-manager` role to allow the controller to monitor Deployment resources and resolve watch failures in the namespace.
482077193	Fixed an issue where proxy chaining failed with HTTP 404 `route_not_found` errors in multi-organization, single-namespace configurations.
481793880	Fixed a bug in the `apigeeorg` admission webhook controller that prevented upgrading organizations when monetization was enabled.
479872706	Resolved an issue that prevented loading API products, apps, and developers after migrating data to Apigee hybrid 1.16.0 in configurations using Workload Identity Federation (WIF) with an HTTP Forward Proxy.
479040521	Resolved a regression where the `apigee-operator-guardrails-sa` ServiceAccount was not correctly created on AKS and EKS platforms with Federated Workload Identity enabled.

1.16.0-hotfix.1

Announcement

hybrid 1.16.0-hotfix.1

On March 12, 2026 we released an update to Apigee hybrid 1.16.0-hotfix.1.

Apply this hotfix with the following steps:

In your hybrid Helm charts directory, download the Apigee hybrid 1.16.0-hotfix.1 Helm charts into your hybrid Helm charts directory with the following commands:

export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
export CHART_VERSION=1.16.0-hotfix.1
helm pull $CHART_REPO/apigee-operator --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-datastore --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-env --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-ingress-manager --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-org --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-redis --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-telemetry --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-virtualhost --version $CHART_VERSION --untar

Install the hotfix release for Apigee operators, beginning with a dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

After the dry run is successful, install the hotfix release for Apigee operators:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Install the hotfix release for your organization, beginning with a dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

After the dry run is successful, install the hotfix release for your organization:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify the organization chart by checking the state:
```
kubectl -n APIGEE_NAMESPACE get apigeeorg
```

Install the hotfix release for your environments. Repeat the following steps for each environment, beginning with a dry run:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server

After the dry run is successful, install the hotfix release for your environment:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml

Verify the environment chart by checking the state:
```
kubectl -n APIGEE_NAMESPACE get apigeeenv
```

March 11, 2026

2026-03-11T00:00:00-07:00

Apigee hybrid

v1.15.2

Announcement

hybrid v1.15.2

On March 11, 2026 we released an updated version of the Apigee hybrid software, v1.15.2.

For information on upgrading, see Upgrading Apigee hybrid to version v1.15.2.
For information on new installations, see The big picture.

Fixed

Fixed in this release

Bug ID	Description
469694040	Fixed an issue where custom Java security policies were intermittently not applied during runtime pod restarts or environment contract updates, which could lead to "Permission denied" errors in Java callouts.

Security

Bug ID	Description
471502899, 471173561	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2025-48924 CVE-2025-67735
471502752, 471191392	Security fixes for `apigee-runtime`. This addresses the following vulnerabilities: CVE-2025-48924 CVE-2025-67735
471502495, 471501875, 471126425	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2025-48924 CVE-2025-67735
471016560, 471015664, 471015120	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2022-40897 CVE-2025-47273 CVE-2025-48924
451224723, 451224123	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2010-4756 CVE-2011-3389 CVE-2013-4392 CVE-2015-3276 CVE-2017-14159 CVE-2017-17740 CVE-2018-20796 CVE-2018-5709 CVE-2018-6829 CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024 CVE-2019-1010025 CVE-2019-9192 CVE-2020-15719 CVE-2022-27943 CVE-2023-2953 CVE-2023-31437 CVE-2023-31438 CVE-2023-31439 CVE-2023-45853 CVE-2024-2236 CVE-2024-2379 CVE-2024-26458 CVE-2024-26461 CVE-2025-0725 CVE-2025-10148 CVE-2025-27587 CVE-2025-62813 CVE-2025-9086 CVE-2025-9230 CVE-2025-9232
N/A	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerability: CVE-2026-24051
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerability: CVE-2026-24051
N/A	Security fixes for `apigee-connect-agent`. This addresses the following vulnerabilities: CVE-2025-68121 CVE-2025-68119 CVE-2025-61732 CVE-2025-61731 CVE-2025-61729 CVE-2025-61726 CVE-2025-4674
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerabilities: CVE-2026-24051 CVE-2025-68121 CVE-2025-68119 CVE-2025-61732 CVE-2025-61731 CVE-2025-61729 CVE-2025-61726 CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907 CVE-2025-4674
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2025-61729 CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2026-24051
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187 CVE-2026-24051 CVE-2025-68156 CVE-2025-61729 CVE-2025-4674 CVE-2025-29786
N/A	Security fixes for `apigee-open-telemetry-collector:`. This addresses the following vulnerability: CVE-2025-29786
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerability: CVE-2025-61725
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187 CVE-2026-24051 CVE-2025-68119 CVE-2025-61731 CVE-2025-61729 CVE-2025-61726 CVE-2025-47913 CVE-2025-4674
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187 CVE-2026-24051 CVE-2025-68119 CVE-2025-61731 CVE-2025-61729 CVE-2025-61726 CVE-2025-4674
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2025-68121 CVE-2025-68119 CVE-2025-61732 CVE-2025-61731 CVE-2025-61729 CVE-2025-61726 CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907 CVE-2025-4674
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerabilities: CVE-2025-61594 CVE-2025-24294
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerabilities: CVE-2026-24051 CVE-2025-68121 CVE-2025-68119 CVE-2025-61732 CVE-2025-61731 CVE-2025-61729 CVE-2025-61726 CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907

March 10, 2026

2026-03-10T00:00:00-07:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

Security monitoring condition support in Advanced API Security for multi-gateway projects

Advanced API Security's multi-gateway Risk Assessment feature (available through API hub) now includes support for security monitoring conditions and alerts.

Security monitoring conditions allow you to map resources (gateways) to security profiles. Cloud Monitoring can then use this mapping to create dedicated dashboards to track security scores over time and alert based on metric levels.

For information on monitoring conditions features and usage see Manage monitoring conditions for multiple Apigee organizations and gateways.

Feature

Support for Apigee Edge Private Cloud (OPDK) in Advanced API Security for multi-gateway projects

API hub Advanced API Security for multi-gateway now includes support for the OPDK gateway type for risk assessment security profiles.

For information on risk assessment custom security profiles and gateway specification, see Create a security profile.

Apigee Advanced API Security

Announcement

On March 10, 2026 we released an updated version of Advanced API Security Abuse Detection

Feature

General availability of monitoring conditions in risk assessment v2

Starting with this release, the risk assessment v2 monitoring conditions feature is generally available.

For information on monitoring conditions features and usage see monitoring conditions and alerts. For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

Apigee X

Announcement

On March 10th, 2026, we released an updated version of Apigee (1-17-0-apigee-4).

Fixed

Bug ID	Description
N/A	Updates to infrastructure and libraries.

Security

Bug ID	Description
483769763, 481735779	Security fix for Apigee infrastructure. This addresses the following vulnerabilities: CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-61732 CVE-2026-24051 CVE-2026-25765

Bug ID

Description

483769763, 481735779

Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

March 05, 2026

2026-03-05T00:00:00-08:00

Apigee Integrated Portal

Announcement

On March 5, 2026 we released a new version of the Apigee integrated portal.

Feature

You can now publish APIs using AsyncAPI documents to render documentation for asynchronous APIs in your portal. For more information, see Publishing your APIs.

March 04, 2026

2026-03-04T00:00:00-08:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

gcloud CLI support for API hub

The gcloud CLI now supports Apigee API hub, allowing you to manage your organization's API catalog, versions, and lifecycle metadata directly from the command line.

For more information see gcloud CLI for API hub.

February 24, 2026

2026-02-24T00:00:00-08:00

Apigee X

Announcement

On February 24th, 2026, we released an updated version of Apigee (1-17-0-apigee-3).

Fixed

Bug ID	Description
470375542	Fixed a memory leak which could result in a spike in 503 responses with `no_healthy_upstream` messages.
480997525	Applied a fix for proxy calls failing with `The URI contains illegal characters` error after Netty upgrade.
485595627	Fixed an issue resulting in TLS handshake errors.

Security

Bug ID

Description

481735779, 457138941, 471232237

Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

February 23, 2026

2026-02-23T00:00:00-08:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

Preview release of specification boost

API hub now supports the preview release of specification boost, an AI-powered add-on that lets you automatically enhance the readability and discoverability of your API specifications in API hub. It analyzes your existing specification files and generates boosted versions enriched with richer details, including additional examples, clearer descriptions, better error documentation, and more.

For more information see Specification boost add-on.

February 13, 2026

2026-02-13T00:00:00-08:00

Apigee UI

Announcement

On February 13, 2026, we released an updated version of the Apigee UI.

Change

Updated the route for Operations Anomalies from apigee/analytics/operations-anomalies to apigee/aapi-ops/operations-anomalies.

Apigee X

Announcement

On February 13, 2026, we published a security bulletin for Apigee.

Security

A vulnerability was identified in the Apigee platform (CVE-2025-13292) that could have allowed a malicious actor with administrative or developer-level permissions in their own Apigee environment to elevate privileges and access cross-tenant data.

Security bulletin published: GCP-2026-010

February 10, 2026

2026-02-10T00:00:00-08:00

Apigee X

Announcement

On February 10, 2026, we released an updated version of Apigee (1-17-0-apigee-2).

Security

Bug ID	Description
481735779, 457138941, 471232237	Security fix for Apigee infrastructure. This addresses the following vulnerabilities: CVE-2025-61730 CVE-2025-68156 CVE-2025-54388 CVE-2025-61727 CVE-2025-61729
470375542	Fixed a memory leak which could result in a spike in 503 responses with `no_healthy_upstream` messages.
480997525	Applied a fix for proxy calls failing with `The URI contains illegal characters` error after Netty upgrade.
485543125	Apigee no longer supports the following `TLS_RSA` cipher suites: `TLS_RSA_WITH_AES_256_GCM_SHA384` `TLS_RSA_WITH_AES_128_GCM_SHA256` `TLS_RSA_WITH_AES_256_CBC_SHA256` `TLS_RSA_WITH_AES_128_CBC_SHA256` `TLS_RSA_WITH_AES_256_CBC_SHA` `TLS_RSA_WITH_AES_128_CBC_SHA`

February 06, 2026

2026-02-06T00:00:00-08:00

Apigee X

Announcement

On February 6th, 2026, we released an updated version of Apigee.

Security

Bug ID	Description
477294854, 477297075, 477297324, 470988850, 471662549	Security fix for Apigee infrastructure. This addresses the following vulnerabilities: CVE-2025-58187 CVE-2025-61723 CVE-2025-61725 CVE-2025-61729 CVE-2025-61727

Bug ID

Description

477294854, 477297075, 477297324, 470988850, 471662549

Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

Apigee hybrid

1.16.0-hotfix.1

Announcement

hybrid 1.16.0-hotfix.1

On February 6, 2026 we released Apigee hybrid 1.16.0-hotfix.1.

Apply this hotfix with the following steps:

In your overrides file, update the image.url and image.tag properties of ao and mart to version 1.16.0-hotfix.1:

ao:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-operators"
    tag: "1.16.0-hotfix.1"

mart:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-mart-server"
    tag: "1.16.0-hotfix.1"

Install the hotfix release for Apigee operators, beginning with a dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

If the dry run is successful, install the hotfix release for Apigee operators:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Install the hotfix release for your organization, beginning with a dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

If the dry run is successful, install the hotfix release for your organization:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify the organization chart by checking the state:
```
kubectl -n APIGEE_NAMESPACE get apigeeorg
```

Install the hotfix release for your environment, beginning with a dry run:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server

If the dry run is successful, install the hotfix release for your environment:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml

Verify the environment chart by checking the state:
```
kubectl -n APIGEE_NAMESPACE get apigeeenv
```

v1.16.0

Fixed

Fixed in this release

Bug ID	Description
479872706	An issue that prevented loading API products, apps, and developers after migrating data to Apigee hybrid 1.16.0 in certain configurations has been resolved.
481793880	An issue that prevented upgrading an existing organization when monetization was enabled has been fixed.

February 03, 2026

2026-02-03T00:00:00-08:00

Apigee Advanced API Security

Announcement

On February 3, 2026 we released an updated version of Advanced API Security security actions

Feature

Support for configuring two condition types within a single security action Announcing the availability of support for two condition types in a single security action. For example, you can include both IP addresses and ASN numbers in the same security action.

This feature is available in Apigee and Apigee hybrid 1.16.0 and later.

Note: This feature is available when configuring the security action via the API, not the UI, at this time.

For usage information, see Configure multiple condition types in the documentation.

February 02, 2026

2026-02-02T00:00:00-08:00

Apigee X

Issue

Known Issue: 480997525 - Proxy calls fail with The URI contains illegal characters error after Netty upgrade

January 27, 2026

2026-01-27T00:00:00-08:00

Apigee UI

Announcement

On January 27, 2026, we released an updated version of the Apigee UI.

Fixed

Show all rows in the Debug properties panel

Fixed an issue where only the first 50 rows were displayed in the Debug properties panel, including the variables tab. The Debug properties table now displays up to 200 rows per page by default. Pagination controls are displayed if the total number of rows exceeds 200.

January 21, 2026

2026-01-21T00:00:00-08:00

Apigee X

Announcement

On January 21st, 2026, we released an updated version of Apigee (1-17-0-apigee-1).

Security

Bug ID	Description
471001896, 469829527, 470953822, 462478248, 474415498	Security fix for Apigee infrastructure. This addresses the following vulnerabilities: CVE-2025-68161 CVE-2025-67735 CVE-2025-47914 CVE-2025-58181 CVE-2025-58767 CVE-2025-4802 CVE-2025-8058 CVE-2025-61727 CVE-2025-61729 CVE-2025-22868 CVE-2025-22869 CVE-2025-22870 CVE-2025-22872

Bug ID

Description

471001896, 469829527, 470953822, 462478248, 474415498

Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

Fixed

Bug ID	Description
433999957	Implemented full TLS validation when fetching JWKS from remote URIs
467762922	Quota enforcement logic for Server-Sent Events (SSE) updated Quotas for SSE are now calculated strictly for events containing explicit token counts. The quota enforcement logic skips SSE that lack token usage metadata.
N/A	Updates to security, infrastructure, and libraries.

January 20, 2026

2026-01-20T00:00:00-08:00

Apigee UI

Deprecated

Debug v1 turndown

As of January 20, 2026, Debug v1 has been turned down and is no longer available. Please use Debug v2 (now referred to as Debug) for debugging API proxies.

January 12, 2026

2026-01-12T00:00:00-08:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

Ingest API Gateway metadata into API hub

API hub now supports automatic metadata ingestion from Google Cloud API Gateway. You can now attach your API Gateway projects to API hub to enable auto-ingestion for all your APIs. For more information see Centralize API management using API hub.

Apigee Advanced API Security

Announcement

On January 12, 2026 we released an updated version of Advanced API Security Abuse Detection

Feature

Introduction of Terraform support for managing Advanced API Security abuse detection exclusion lists

You can now use Terraform to manage Advanced API Security abuse detection exclusion lists. The feedback feature allows you to specify CIDR ranges and IP addresses to exclude from future incident reports, and is used to exclude traffic known to be safe, such as requests related to automated testing.

Note: Exclusion lists are not available for VPC-SC customers at this time.

For usage information, see Exclude traffic from abuse detection and Use Terraform in Apigee in the Apigee documentation and the Terraform abuse detection feedback (exclusion lists) instructions.

Apigee UI

Announcement

On January 12, 2026, we released an updated version of the Apigee UI.

Feature

Manage environment-level resources in the Apigee UI

You can now manage environment-level resources using the Apigee UI. Previously, environment-level resources could only be managed using the API. For more information, see Managing resources.

January 07, 2026

2026-01-07T00:00:00-08:00

Apigee Operator for kubernetes

VERSION_UNSPECIFIED

Announcement

On January 7, 2026, we released an updated version of Apigee.

Feature

The Apigee Operator for Kubernetes version 1.1.1 is now available.

Security

Bug ID	Description
471150886, 471150271, 471150102, 426783172	Security fixes for the Apigee Operator for Kubernetes. This addresses the following vulnerabilities: CVE-2025-55163 CVE-2025-67735 CVE-2025-58057 CVE-2025-58056

Bug ID

Description

471150886, 471150271, 471150102, 426783172

Security fixes for the Apigee Operator for Kubernetes.

This addresses the following vulnerabilities:

December 29, 2025

2025-12-29T00:00:00-08:00

Apigee X

Announcement

On December 29th, 2025, we released an updated version of Apigee.

Feature

The Apigee Extension Processor provisioning API is available

Apigee Extension Processor customers can now use the Extension Processor provisioning API to create traffic extensions. For more information, see Get started with the Apigee Extension Processor

December 23, 2025

2025-12-23T00:00:00-08:00

Apigee X

Announcement

On December 23, 2025, we released an updated version of Apigee.

Feature

New Apigee policies for LLM Token Management are now Generally Available (GA)

Two new Apigee policies for managing Large Language Model (LLM) workloads are now Generally Available (GA). These policies provide fine-grained control and rate-limiting for AI application traffic as follows:

LLMTokenQuota policy
- This policy monitors and enforces limits on LLM response token usage to control overall LLM expenditure and resource allocation.
- It can be configured with (placed in the response flow to track tokens consumed) or (placed in the request flow to block calls if the quota is exceeded).
- If the quota is reached, Apigee returns an HTTP 429 (Too Many Requests) status code.
- For more information, see LLMTokenQuota Policy.
PromptTokenLimit policy
- This policy provides a token-based rate-limiting mechanism analogous to the SpikeArrest policy, specifically for the tokens consumed by the user's prompt message.
- It calculates the prompt's token count using the widely adopted o200k_base encoding technique.
- If the configured token rate limit is exceeded, the incoming request is blocked, returning an HTTP 429 (Too Many Requests) status code.
- For more information, see PromptTokenLimit policy.

Related documents:

December 19, 2025

2025-12-19T00:00:00-08:00

Apigee Monetization

Announcement

On December 19, 2025, we released an updated version of Apigee Monetization.

Feature

Monetization now supports AppGroups. Use AppGroups to manage API product subscriptions for all app developers in the AppGroup at the same time.

For more information, see Use AppGroups to manage API product subscriptions.

Apigee hybrid

v1.16.0

Announcement

hybrid v1.16.0

On December 19, 2025 we released an updated version of the Apigee hybrid software, 1.16.0.

For information on upgrading, see Upgrading Apigee hybrid to version v1.16.
For information on new installations, see The big picture.

Feature

Seccomp Profiles

Apigee Hybrid now offers the capability to apply Seccomp Profiles to your runtime components, significantly enhancing the security posture of your deployment.

This feature allows Apigee administrators and security teams to restrict the system calls (syscalls) a containerized process can make to the host's kernel. By limiting a container to only the necessary syscalls, you can:

Enhance Security: Mitigate the risk of container breakouts and privilege escalation.
Enforce Least Privilege: Ensure components only have access to the exact system calls required for their operation.
Meet Compliance: Provide a critical control for meeting stringent security compliance requirements.

Seccomp profiles are not enabled by default. To enable the feature, see Configure Seccomp profiles for pod security.

Feature

apigee-guardrails service account

In v1.16.0, Apigee Hybrid introduces an apigee-guardrails Google IAM service account. This is used by the apigee-operator chart during initial installation to check that all needed APIs are enabled in your project.

See:

Change

UDCA component removed

In Apigee hybrid v1.16, the Unified Data Collection Agent (UDCA) component has been removed. The responsibilities of sending analytics, trace, and deployment status data to the Apigee control plane are now handled using a Google Cloud Pub/Sub based data pipeline. Using the Pub/Sub based data pipeline has been the default data collection mechanism since Apigee hybrid v1.14.0.

Change

Support for cert-manager release 1.18 and 1.19

Apigee hybrid v1.16 supports cert-manager release 1.18 and 1.19.

Fixed

Fixed in this release

Bug ID	Description
448647917	Fixed a issue where non-SSL connections through a forward proxy could be improperly shared. (also fixed in Apigee 1-16-0-apigee-4)
442501403	Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a . (also fixed in Apigee 1-16-0-apigee-3)
438192028	Updated the geolocation database to mitigate stale IP-to-location mappings. (also fixed in Apigee 1-16-0-apigee-3)
437999897	Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses. (also fixed in Apigee 1-16-0-apigee-3)
436323210	Fixed ingress cert keys to allow both `tls.key`/`key` and `tls.crt`/`cert`.
N/A	Updates to security, infrastructure, and libraries. (also fixed in Apigee 1-16-0-apigee-4)

Fixed

Fixed since last minor release

Bug ID	Description
451841788	Apigee hybrid required the `mintTaskScheduler.serviceAccountPath` property even when Monetization was not enabled. (Fixed in v1.15.1 & v1.14.3)
451375397	The `apigee-pull-push.sh` script could return a No such image error message. (Fixed in v1.15.1 & v1.14.3)
445912919	Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process. (Fixed in v1.15.1)
442501403	Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a `TargetEndpoint` is configured with a . (Fixed in v1.15.1)
437999897	Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses. (Fixed in v1.15.1)
431930277, 395272878	When the configuration property `envs.managementCallsSkipProxy` is set to `true` via helm for environment-level forward proxy, trace and analytics (which use `googleapis.com`) will skip forward proxy. (Fixed in v1.15.1)
423597917	Post of an `AppGroupAppKey` scopes should result in insert operation instead of update. (Fixed in v1.15.1 & v1.14.3)
420675540	Fixed Cassandra based replication for runtime contracts in synchronizer. (Fixed in v1.15.1, v1.14.3 & v1.13.4)
419578402	Mint-Mart forward proxy compatible. (Fixed in v1.15.1 & v1.14.3)
416634326	Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods. (Fixed in v1.15.1, v1.14.3 & v1.13.4)
414499328	`ApigeeTelemetry` could become stuck in `creating` state (Fixed in v1.14.3 & v1.13.4)
412740465	Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway. (Fixed in v1.15.1 & v1.14.3)
409048431	Fixes a vulnerability which could allow a SAML signature verification to be bypassed. (Fixed in v1.15.1 & v1.14.3)
401746333	Fixed a `java.lang.ClassCircularityError` that could occur in Java Callouts due to an issue with the class loading mechanism.(Fixed in v1.15.1 & v1.14.3)
395272878	Separate Forward proxy support for `googleapis.com` and `non-googleapis.com` runtime traffic. (Fixed in v1.14.3)
393615439	OASValidation behavior for `allOf` with `additionalProperties: true`. (Fixed in 1.14.2-hotfix.1)
382565315	A memory leak within the Security Policy has been addressed, improving system stability. (Fixed in v1.13.4)
378686709	*The use of wildcards () in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error.** To apply this fix, follow the procedure in Known issue 378686709. (Fixed in v1.15.1 & v1.14.3)
375360455	Updated apigee-runtime drain timeout to 300s to fix connection termination issue during pod termination. (Fixed in v1.13.4)
367815792	Two new Flow Variables: `app_group_app` and `app_group_name` have been added to VerifyApiKey and Access Token policy. (Fixed in v1.15.1 & v1.14.3)

Security

Fixed in this release

Bug ID	Description
452621774, 452381632, 441266643, 448498138	Security fix for Apigee infrastructure. (also fixed in Apigee 1-16-0-apigee-4) This addresses the following vulnerabilities: CVE-2025-53864 Updated Nimbus JWT library from 9.37.2 to 9.37.4, which introduced changes in behavior including changes to error string verbiage. CVE-2025-8916 CVE-2025-5115 CVE-2024-40094
440419558, 433759657	Security fix for Apigee infrastructure. (also fixed in Apigee 1-16-0-apigee-3) This addresses the following vulnerabilities: CVE-2025-22868 CVE-2025-48924 Note: This fix updates a Java library that is included in Apigee. Reliance on Java libraries that are included with Apigee is not supported. Those libraries are for Apigee product functionality only, and there's no guarantee that a library will be available from release to release. For more information, see Restrictions.
443902061	Security fix for Apigee infrastructure (also fixed in Apigee 1-16-0-apigee-3) This addresses the following vulnerability: CVE-2025-13292 Fixed an issue with improper access control that resulted in cross-tenant analytics modification and access to log data.
N/A	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-connect-agent`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2025-9230
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47913 CVE-2025-47907
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2025-53066 CVE-2025-50106 CVE-2025-50059 CVE-2025-48913 CVE-2025-30749 CVE-2024-13009
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-29786
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-61725
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2022-48174
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907
N/A	Security fixes for `apigee-runtime`. This addresses the following vulnerabilities: CVE-2025-50106 CVE-2025-50059 CVE-2025-48913 CVE-2025-30749
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerability: CVE-2025-24294
N/A	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2025-50106 CVE-2025-50059 CVE-2025-48913 CVE-2025-30749
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47913
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187

Security

Fixed since last minor release

Bug ID	Description
448498138	Security fixes for `apigee-runtime`. (Fixed in v1.15.1) This addresses the following vulnerability: CVE-2024-40094
447367372	Security fixes for `apigee-runtime`. (Fixed in v1.15.1) This addresses the following vulnerability: CVE-2025-58057
433952146	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2024-6763
433951774	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2024-7254
433950558	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2024-47554
433950370	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-25193
418557195	Security fixes for `apigee-fluent-bit`. (Fixed in v1.15.1) This addresses the following vulnerabilities: CVE-2025-24528 CVE-2025-4207 CVE-2025-1390 CVE-2024-26462 CVE-2024-13176
396944778	Security fixes for `apigee-synchronizer`. (Fixed in v1.13.4) This addresses the following vulnerabilities: CVE-2025-25193 CVE-2025-24970 CVE-2025-23184 CVE-2024-47554
392934392	Security fixes for `apigee-logger`.
N/A	Incorporated an updated base image for `stackdriver-logging-agent`, improving the overall security of the service. (Fixed in 1.14.2-hotfix.1) This addresses the following vulnerabilities (among others and not limited to): CVE-2022-32221 GHSA-jvgm-pfqv-887x
N/A	Security fixes for `apigee-asm-ingress`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-asm-istiod`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-envoy`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-0395
N/A	Security fixes for `apigee-fluent-bit`. (Fixed in v1.14.3 & v1.15.1) This addresses the following vulnerabilities: CVE-2025-32990 CVE-2025-32988
N/A	Security fixes for `apigee-hybrid-cassandra-client`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.14.3) This addresses the following vulnerabilities: CVE-2025-23015 CVE-2025-22871 CVE-2025-24970
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.15.1) This addresses the following vulnerability: CVE-2025-23015
N/A	Security fixes for `apigee-kube-rbac-proxy`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-mart-server`. (Fixed in v1.13.4) This addresses the following vulnerability: CVE-2024-20952
N/A	Security fixes for `apigee-mart-server`. (Fixed in v1.14.3) This addresses the following vulnerabilities: CVE-2025-48924 CVE-2025-48795 CVE-2025-48734 CVE-2025-24970 CVE-2024-47554 CVE-2024-47535 CVE-2024-13009 CVE-2024-8184 CVE-2024-7254 CVE-2024-6763

December 17, 2025

2025-12-17T00:00:00-08:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

Advanced API Security for multi-gateway projects

Apigee Advanced API Security can now centrally manage and govern the security posture of your APIs across multiple Apigee projects, environments, and gateways. This enhancement leverages API hub to provide a single, unified view of your API security, helping you to identify risks and enforce standards consistently across your entire organization.

This enhancement introduces the following key capabilities:

Unified risk assessment: view and manage security scores for all your APIs in a centralized dashboard, regardless of which project, environment, or gateway they are deployed in.
Customizable security profiles: create and manage custom security profiles and apply them consistently across your multi-gateway landscape.

Supported gateways:

Apigee X
Apigee hybrid
Apigee Edge Public Cloud

To enable this feature, navigate to the Add-on management page in API hub and enable the Apigee Advanced API Security add-on.

Advanced API Security currently has limited support for VPC Service Controls (VPC-SC). To avoid potential feature limitations, we recommend enabling this add-on for API hub instances associated with Apigee organizations that don't have VPC-SC enabled.

For more information, see Advanced API Security for multiple Apigee organizations and gateways.

Apigee Advanced API Security

Announcement

On December 17, 2025 we released an updated version of Advanced API Security Risk Assessment

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Feature

General availability of Risk Assessment v2 and support for assessments using additional policies

Announcing the general availability of Risk Assessment v2 and support for assessments using the VerifyIAM policy and these three AI policies: SanitizeUserPrompt, SanitizeModelResponse, and SemanticCacheLookup.

Note: The Risk Assessment v2 monitoring conditions feature remains in preview.

For usage information, see Risk Assessment overview and UI in the documentation.

Feature

New risk assessment type field when creating or updating a risk assessment version 2 custom security profile

The API for creating and updating a version 2 risk assessment custom security profile now includes a risk_assessment_type field to specify whether the custom security profile applies to an Apigee/Apigee hybrid instance or to API hub multi-gateway.

This field is optional and defaults to APIGEE; this is not a breaking change for existing risk assessment users.

See REST Resource: organizations.securityProfilesV2 for information on the new functionality.

Apigee Integrated Portal

Announcement

On December 17, 2025 we released a new version of the Apigee integrated portal.

Fixed

Incorrect Cross-Origin-Opener-Policy header in developer portal

A fix has been implemented to address an issue where the Cross-Origin-Opener-Policy response header in the developer portal was malformed with an extra colon. This change ensures the security header is correctly formatted.

Apigee UI

Announcement

On December 17, 2025, we announced that Debug v1 will be shutdown on January 15, 2026. Use Debug v2 instead of Debug v1.

December 15, 2025

2025-12-15T00:00:00-08:00

Apigee API hub

VERSION_UNSPECIFIED

Feature

New API card view

A new card view is now available for APIs in API hub. This view provides a more visual and comprehensive way to browse, edit, and manage your APIs, complementing the existing list view.

The card view highlights key information for each API, such as the owner, last modified date, target users, gateway, API style, and business unit, to enhance discoverability and provide a richer at-a-glance overview of your API landscape.

You can switch between the list and card views from the API hub > APIs page.