We released an updated version of the Apigee hybrid software, 1.15.1

## Announcement ### hybrid v1.15.1 On October 12, 2025 we released an updated version of the Apigee hybrid software, 1.15.1. * For information on upgrading, see [Upgrading Apigee hybrid to version 1.15](https://cloud.google.com/apigee/docs/hybrid/v1.15/upgrade). * For information on new installations, see [The big picture](https://cloud.google.com/apigee/docs/hybrid/v1.15/big-picture). **Note:** This is a patch release: The container images used in patch releases are integrated with the Apigee hybrid Helm charts. Upgrading to a patch via the Helm chart automatically updates the images. No manual image changes are typically needed. For information on container image support in Apigee hybrid releases, see [Apigee release process](https://cloud.google.com/apigee/docs/release/apigee-release-process#apigee-hybrid-container-images). ## Feature **Recurring, top-up, and setup fees for Apigee hybrid monetization** Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see [Enabling monetization for Apigee hybrid](https://cloud.google.com/apigee/docs/hybrid/v1.15/monetization-for-hybrid). ## Feature **Apigee policies for LLM/GenAI workloads** Apigee hybrid now supports the following Apigee policies with support for LLM/GenAI workloads. * [SemanticCacheLookup policy](https://cloud.google.com/apigee/docs/api-platform/reference/policies/semantic-cache-lookup-policy) * [SemanticCachePopulate policy](https://cloud.google.com/apigee/docs/api-platform/reference/policies/semantic-cache-populate-policy) * [SanitizeUserPrompt](https://cloud.google.com/apigee/docs/api-platform/reference/policies/sanitize-user-prompt-policy) * [SanitizeModelResponse](https://cloud.google.com/apigee/docs/api-platform/reference/policies/sanitize-user-prompt-policy) The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values. The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data. **Note:** In Apigee hybrid, this feature has the following limitations: * Support for these policies is limited to installations on Google Cloud Platform. * Apigee hybrid does not support forward proxy with these policies. For more information on using these policies in your Apigee API proxies, see: * [Get started with semantic caching policies](https://cloud.google.com/apigee/docs/api-platform/tutorials/using-semantic-caching-policies) * [Get started with Apigee Model Armor policies](https://cloud.google.com/apigee/docs/api-platform/tutorials/using-model-armor-policies) ## Fix | Bug ID | Description | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **445912919** | **Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process.** | | **442501403** | **Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>.** | | **437999897** | **Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses.** | | **431930277**, **395272878** | **When the configuration property [envs.managementCallsSkipProxy](https://cloud.google.com/apigee/docs/hybrid/v1.15/config-prop-ref#envs-managementcallsskipproxy) is set to true via helm for environment-level forward proxy, trace and analytics (which use googleapis.com) will skip forward proxy.** | | **423597917** | **Post of an [AppGroupAppKey](https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.appgroups.apps.keys/updateAppGroupAppKey) scopes should result in insert operation instead of update.** | | **419578402** | **Mint-Mart forward proxy compatible.** | | **412740465** | **Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway.** | | **409048431** | **Fixes a vulnerability which could allow a SAML signature verification to be bypassed.** | | **378686709** | **The use of wildcards (\*) in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error.** To apply this fix, follow the procedure in [Known issue 378686709](https://cloud.google.com/apigee/docs/release/known-issues#378686709). | | **367815792** | **Two new Flow Variables: app\_group\_app and app\_group\_name have been added to VerifyApiKey and Access Token policy.** | ## Security | Bug ID | Description | | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **448498138** | **Security fixes for apigee-runtime.** This addresses the following vulnerability: [CVE-2024-40094](https://nvd.nist.gov/vuln/detail/CVE-2024-40094) | | **447367372** | **Security fixes for apigee-runtime.** This addresses the following vulnerability: [CVE-2025-58057](https://nvd.nist.gov/vuln/detail/CVE-2025-58057) | | **418557195** | **Security fixes for apigee-fluent-bit.** This addresses the following vulnerabilities: [CVE-2025-24528](https://nvd.nist.gov/vuln/detail/CVE-2025-24528) [CVE-2025-4207](https://nvd.nist.gov/vuln/detail/CVE-2025-4207) [CVE-2025-1390](https://nvd.nist.gov/vuln/detail/CVE-2025-1390) [CVE-2024-26462](https://nvd.nist.gov/vuln/detail/CVE-2024-26462) [CVE-2024-13176](https://nvd.nist.gov/vuln/detail/CVE-2024-13176) | | **N/A** | **Security fixes for apigee-fluent-bit.** This addresses the following vulnerabilities: [CVE-2025-32990](https://nvd.nist.gov/vuln/detail/CVE-2025-32990) [CVE-2025-32988](https://nvd.nist.gov/vuln/detail/CVE-2025-32988) | | **N/A** | **Security fixes for apigee-hybrid-cassandra.** This addresses the following vulnerability: [CVE-2025-23015](https://nvd.nist.gov/vuln/detail/CVE-2025-23015) | | **N/A** | **Security fixes for apigee-mart-server.** This addresses the following vulnerabilities: [CVE-2025-58057](https://nvd.nist.gov/vuln/detail/CVE-2025-58057) [CVE-2025-58056](https://nvd.nist.gov/vuln/detail/CVE-2025-58056) [CVE-2025-55163](https://nvd.nist.gov/vuln/detail/CVE-2025-55163) [CVE-2025-48924](https://nvd.nist.gov/vuln/detail/CVE-2025-48924) [CVE-2025-48795](https://nvd.nist.gov/vuln/detail/CVE-2025-48795) [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734) [CVE-2025-24970](https://nvd.nist.gov/vuln/detail/CVE-2025-24970) [CVE-2024-47554](https://nvd.nist.gov/vuln/detail/CVE-2024-47554) [CVE-2024-47535](https://nvd.nist.gov/vuln/detail/CVE-2024-47535) [CVE-2024-13009](https://nvd.nist.gov/vuln/detail/CVE-2024-13009) [CVE-2024-8184](https://nvd.nist.gov/vuln/detail/CVE-2024-8184) [CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254) [CVE-2024-6763](https://nvd.nist.gov/vuln/detail/CVE-2024-6763) | | **N/A** | **Security fixes for apigee-stackdriver-logging-agent.** This addresses the following vulnerabilities: [CVE-2025-58767](https://nvd.nist.gov/vuln/detail/CVE-2025-58767) [CVE-2025-24294](https://nvd.nist.gov/vuln/detail/CVE-2025-24294) [CVE-2023-33953](https://nvd.nist.gov/vuln/detail/CVE-2023-33953) [CVE-2022-32511](https://nvd.nist.gov/vuln/detail/CVE-2022-32511) [CVE-2022-29181](https://nvd.nist.gov/vuln/detail/CVE-2022-29181) [CVE-2022-24839](https://nvd.nist.gov/vuln/detail/CVE-2022-24839) [CVE-2022-24836](https://nvd.nist.gov/vuln/detail/CVE-2022-24836) [CVE-2022-0759](https://nvd.nist.gov/vuln/detail/CVE-2022-0759) [CVE-2021-41817](https://nvd.nist.gov/vuln/detail/CVE-2021-41817) [CVE-2021-31799](https://nvd.nist.gov/vuln/detail/CVE-2021-31799) [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) [CVE-2021-28965](https://nvd.nist.gov/vuln/detail/CVE-2021-28965) [CVE-2021-23214](https://nvd.nist.gov/vuln/detail/CVE-2021-23214) [CVE-2020-25695](https://nvd.nist.gov/vuln/detail/CVE-2020-25695) [CVE-2020-25694](https://nvd.nist.gov/vuln/detail/CVE-2020-25694) [CVE-2020-25613](https://nvd.nist.gov/vuln/detail/CVE-2020-25613) [CVE-2019-3881](https://nvd.nist.gov/vuln/detail/CVE-2019-3881) [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) [CVE-2018-1115](https://nvd.nist.gov/vuln/detail/CVE-2018-1115) [CVE-2018-10915](https://nvd.nist.gov/vuln/detail/CVE-2018-10915) [CVE-2018-1058](https://nvd.nist.gov/vuln/detail/CVE-2018-1058) [CVE-2018-1053](https://nvd.nist.gov/vuln/detail/CVE-2018-1053) [CVE-2017-7546](https://nvd.nist.gov/vuln/detail/CVE-2017-7546) [CVE-2017-7484](https://nvd.nist.gov/vuln/detail/CVE-2017-7484) [CVE-2017-15098](https://nvd.nist.gov/vuln/detail/CVE-2017-15098) [CVE-2017-14798](https://nvd.nist.gov/vuln/detail/CVE-2017-14798) [CVE-2016-7954](https://nvd.nist.gov/vuln/detail/CVE-2016-7954) [CVE-2016-7048](https://nvd.nist.gov/vuln/detail/CVE-2016-7048) [CVE-2016-5424](https://nvd.nist.gov/vuln/detail/CVE-2016-5424) [CVE-2016-5423](https://nvd.nist.gov/vuln/detail/CVE-2016-5423) [CVE-2016-0766](https://nvd.nist.gov/vuln/detail/CVE-2016-0766) [CVE-2015-3167](https://nvd.nist.gov/vuln/detail/CVE-2015-3167) [CVE-2015-3166](https://nvd.nist.gov/vuln/detail/CVE-2015-3166) [CVE-2015-0244](https://nvd.nist.gov/vuln/detail/CVE-2015-0244) [CVE-2015-0243](https://nvd.nist.gov/vuln/detail/CVE-2015-0243) [CVE-2015-0241](https://nvd.nist.gov/vuln/detail/CVE-2015-0241) | ## Change **Documentation change** The following documents have been changed or introduced to align the Apigee hybrid installation guides with the supported methods for service account authentication: * [Service account authentication methods in Apigee hybrid](https://cloud.google.com/apigee/docs/hybrid/v1.15/sa-authentication-methods) \- A new overview topic for service account authentication. * [Storing service account keys in Kubernetes secrets](https://cloud.google.com/apigee/docs/hybrid/v1.15/storing-sa-keys-in-k8s-secrets) \- A new topic. * [Step 4: Create service accounts](https://cloud.google.com/apigee/docs/hybrid/v1.15/install-service-accounts) \- Rewritten to accommodate all supported methods of service account authentication. * [Step 5: Set up service account authentication](https://cloud.google.com/apigee/docs/hybrid/v1.15/install-sa-authentication) \- A new topic on configuring authentication after creating service accounts. * [Step 7: Create the overrides](https://cloud.google.com/apigee/docs/hybrid/v1.15/install-create-overrides) and [Step 11: Install Apigee hybrid Using Helm](https://cloud.google.com/apigee/docs/hybrid/v1.15/install-helm-charts) \- Topics revised to provide templates, examples, and procedures for each supported type of service account authentication. * **Step 11(Optional): Configure Workload Identity** \- Topic removed. The procedures are included in [Step 11: Install Apigee hybrid Using Helm: WIF for GKE](https://cloud.google.com/apigee/docs/hybrid/v1.15/install-helm-charts.html#wif-for-gke)