CVE-2026-12715 PUBLISHED

Missing Authorization in Firebase Studio allows Cross-Tenant Source Code Theft

Assigner: GoogleCloud
Reserved: 19.06.2026 Published: 17.07.2026 Updated: 17.07.2026

Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests.

This vulnerability was patched on 15 April 2026, and no customer action is needed.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Clear
CVSS Score: 8.5

Product Status

Vendor Google Cloud
Product Firebase Studio
Versions Default: unaffected
  • affected from 0 to 2026-04-15 (excl.)

Solutions

This vulnerability was patched on April 15, 2026 on the server-side.

As a precautionary measure, users who may have stored sensitive information such as API keys (e.g., GEMINI_API_KEY) within their Firebase Studio workspace may choose to rotate these keys.

Instructions for rotating the GEMINI_API_KEY can be found at https://firebase.google.com/docs/studio/troubleshooting#rotate-gemini-key .

Credits

  • A Security Researcher reporter

References

Problem Types

  • CWE-862 Missing Authorization CWE

Impacts

  • CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs