CVE-2026-12715

Google · Firebase Studio

Google Cloud Firebase Studio was affected by a missing authorization vulnerability allowing unauthorized users to download source code and access sensitive data via GCS URL signing requests.

Executive summary

A critical authorization flaw in Google Cloud Firebase Studio allowed unauthorized access to sensitive source code and data, which has been addressed by a server-side patch.

Vulnerability

This was a missing authorization vulnerability where authenticated users could perform unauthorized GCS URL signing requests. This could lead to the exposure of deployed source code and other sensitive information.

Business impact

The exposure of source code and sensitive data presents a high risk of intellectual property theft and credential compromise. With a CVSS score of 8.5, the potential for unauthorized data exfiltration is significant, necessitating a thorough review of exposed secrets.

Remediation

Immediate Action: This vulnerability was patched server-side on April 15, 2026. Users who may have stored sensitive information, such as API keys (e.g., GEMINI_API_KEY), within their workspaces should rotate these keys immediately.

Proactive Monitoring: Review access logs for any unauthorized GCS URL signing requests that occurred prior to the patch date to determine if data exfiltration took place.

Compensating Controls: Ensure that sensitive environment variables and API keys are stored in a secure secrets management service rather than directly within the workspace.

Exploitation status

Public Exploit Available: No

Analyst recommendation

While the vendor has applied a server-side patch, the risk of data compromise remains if sensitive keys were stored in the affected environment. Organizations must perform an audit of their Firebase Studio workspaces and execute a rotation of all stored secrets to ensure complete remediation.