Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Network-reachable signing endpoint (AV:N/AC:L) needs a valid low-priv account (PR:L); reading another tenant's data crosses an authorization boundary (S:C) with confidentiality-only impact (C:H, I:N/A:N).
Primary rating from Vendor (GoogleCloud).
CVSS VectorVendor: GoogleCloud
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests.
This vulnerability was patched on 15 April 2026, and no customer action is needed.
AnalysisAI
Cross-tenant data disclosure in Google Cloud Firebase Studio (versions prior to the 2026-04-15 fix) let an authenticated user retrieve other tenants' deployed source code and sensitive data by issuing unauthorized GCS signed-URL requests. The flaw stems from a missing authorization check (CWE-862) on the object-signing path rather than a code-execution bug, so impact is confidentiality-centric. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Firebase Studio account (CVSS PR:L) that can invoke the platform's GCS URL-signing functionality; the attacker then supplies signing requests for GCS objects owned by other tenants without holding authorization to them. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H with subsequent-system SC:H/SI:H/SA:H) scores 8.5 and models a network-reachable, low-complexity attack requiring only low privileges (a valid Firebase Studio account) and no user interaction, with impact extending to other tenants - consistent with a multi-tenant isolation break. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker signs up for or already holds a low-privilege Firebase Studio account, then sends crafted GCS URL-signing requests referencing object paths belonging to other tenants' deployments. Because the signing endpoint fails to authorize resource ownership, the service returns valid signed URLs the attacker uses to download other users' source code and sensitive data over the network with no user interaction. … |
| Remediation | No customer action is required: Google remediated the flaw server-side in the Firebase Studio backend on 2026-04-15, so the fix is applied automatically to the hosted service (treat this as 'Patch available per vendor advisory', with the fix dated 2026-04-15 rather than a customer-installable version number). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Google Cloud projects using Firebase Studio and classify the sensitivity of deployed code, credentials, and configuration data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45187
GHSA-cfq8-274p-7h5p