Skip to main content

Firebase Studio CVE-2026-12715

| EUVDEUVD-2026-45187 HIGH
Missing Authorization (CWE-862)
2026-07-17 GoogleCloud GHSA-cfq8-274p-7h5p
8.5
CVSS 4.0 · Vendor: GoogleCloud
Share

Severity by source

Vendor (GoogleCloud) PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
vuln.today AI
7.7 HIGH

Network-reachable signing endpoint (AV:N/AC:L) needs a valid low-priv account (PR:L); reading another tenant's data crosses an authorization boundary (S:C) with confidentiality-only impact (C:H, I:N/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GoogleCloud).

CVSS VectorVendor: GoogleCloud

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 17, 2026 - 17:02 EUVD
Analysis Generated
Jul 17, 2026 - 16:01 vuln.today
CVE Published
Jul 17, 2026 - 15:09 cve.org
HIGH 8.5

DescriptionCVE.org

Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests.

This vulnerability was patched on 15 April 2026, and no customer action is needed.

AnalysisAI

Cross-tenant data disclosure in Google Cloud Firebase Studio (versions prior to the 2026-04-15 fix) let an authenticated user retrieve other tenants' deployed source code and sensitive data by issuing unauthorized GCS signed-URL requests. The flaw stems from a missing authorization check (CWE-862) on the object-signing path rather than a code-execution bug, so impact is confidentiality-centric. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Firebase Studio (low-priv account)
Delivery
Send crafted GCS URL-signing request for another tenant's object
Exploit
Bypass missing authorization check
Execution
Receive valid signed URL
Impact
Download other users' source code and sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Firebase Studio account (CVSS PR:L) that can invoke the platform's GCS URL-signing functionality; the attacker then supplies signing requests for GCS objects owned by other tenants without holding authorization to them. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H with subsequent-system SC:H/SI:H/SA:H) scores 8.5 and models a network-reachable, low-complexity attack requiring only low privileges (a valid Firebase Studio account) and no user interaction, with impact extending to other tenants - consistent with a multi-tenant isolation break. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker signs up for or already holds a low-privilege Firebase Studio account, then sends crafted GCS URL-signing requests referencing object paths belonging to other tenants' deployments. Because the signing endpoint fails to authorize resource ownership, the service returns valid signed URLs the attacker uses to download other users' source code and sensitive data over the network with no user interaction. …
Remediation No customer action is required: Google remediated the flaw server-side in the Firebase Studio backend on 2026-04-15, so the fix is applied automatically to the hosted service (treat this as 'Patch available per vendor advisory', with the fix dated 2026-04-15 rather than a customer-installable version number). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Google Cloud projects using Firebase Studio and classify the sensitivity of deployed code, credentials, and configuration data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy