Potential unauthenticated API proxy exposure in Google AI Studio generated Cloud Run applications.
Google AI Studio can generate and deploy web applications to Google Cloud Run. In some generated deployments, the application includes a backend proxy endpoint, commonly exposed under:
/api-proxy
This proxy is designed to forward requests from the deployed web application to the Gemini API while keeping the underlying Google Cloud API key out of the frontend code.
However, in the observed deployment configuration, the /api-proxy endpoint was publicly reachable without authentication or authorization checks. In addition, the Cloud Run service was configured for public ingress, making the proxy accessible directly from the internet.
As a result, an affected deployment may unintentionally become a public Gemini API proxy. Any third party who discovers the deployed domain may be able to send requests to Gemini models through the victim’s Cloud Run service, with all API usage and infrastructure costs charged to the owner of the Google Cloud project.
This issue may lead to the following risks:
An attacker may send high-volume or high-cost requests through the exposed proxy endpoint, including requests to expensive multimodal or long-context models.
The affected developer or organization may be charged for:
- Gemini API usage
- Cloud Run compute time
- Network egress
- Related Google Cloud infrastructure costs
Abusive traffic may consume the victim project’s API quota or trigger rate limits. This can cause legitimate users of the application to receive errors such as:
429 Too Many Requests
or other API quota-related failures.
Large requests or repeated long-running generations may increase Cloud Run latency, consume instance resources, and degrade the normal user experience of the deployed application.
Based on observed behavior, applications generated and deployed through the affected Google AI Studio flow may share a similar architecture and therefore may be vulnerable if they expose the same unauthenticated /api-proxy route.
Observed affected component:
Google AI Studio generated Cloud Run application
Observed exposed endpoint pattern:
https://<deployed-domain>/api-proxy/...
Example route pattern:
/api-proxy/v1beta/models/<model-name>:generateContent
In the observed deployment flow:
- Google AI Studio creates or uses a Google Cloud project.
- A Generative Language API key is created for calling Gemini APIs.
- The generated Cloud Run service receives the API key through backend configuration or environment variables.
- The frontend sends Gemini requests to the backend proxy endpoint:
window.location.origin + "/api-proxy"- The backend proxy forwards those requests to the Gemini API.
- The
/api-proxyendpoint is publicly accessible without verifying the caller’s identity.
This means an attacker does not need access to the API key itself. They only need the public domain of an affected deployment.
The issue can be validated by sending a direct request to the exposed proxy endpoint of an affected deployment.
Example request shape:
POST https://<victim-domain>/api-proxy/v1beta/models/<model-name>:generateContent
Content-Type: application/json{
"contents": [
{
"parts": [
{
"text": "Test request"
}
]
}
]
}If the endpoint returns a successful Gemini API response without requiring authentication, the deployment is exposed.
Note: This proof of concept is intentionally minimal and should only be performed against systems you own or are explicitly authorized to test.
The following indicators were observed in Cloud Run logs from an affected deployment:
Request path:
/api-proxy/v1beta/models/gemini-3.1-flash-image-preview:generateContent
User-Agent:
Go-http-client/2.0
Status:
200 OK
Source IP:
23.94.246.77
Approximate request duration:
~20 seconds
Approximate payload size:
Request: 13.9 MB
Response: 7.8 MB
These indicators suggest automated abuse through server-side scripts rather than normal browser-based application usage.
Common suspicious patterns may include:
- Non-browser User-Agent values
- Requests directly targeting
/api-proxy - Large request or response payloads
- Repeated calls to expensive models
- Requests from data center or hosting provider IP ranges
- Successful
200 OKresponses without a valid user session
Until an official platform-level fix is available, developers should take immediate protective action.
If the application is not actively needed, disable the affected Cloud Run service.
Alternatively, restrict ingress:
Cloud Run → Service → Networking → Ingress
Recommended setting:
Internal
or another restricted setting appropriate for your deployment.
Go to:
Google Cloud Console → APIs & Services → Credentials
Then rotate or delete the API key used by the affected AI Studio deployment.
Also review API key restrictions and ensure the key is not usable outside the intended backend environment.
The proxy endpoint should not accept anonymous requests.
Recommended controls include:
- Require application-level user authentication
- Verify a valid session before forwarding requests
- Reject unauthenticated direct calls
- Apply per-user rate limits
- Apply per-IP rate limits
- Restrict which models can be called
- Enforce request size limits
- Add usage quotas per user or account
The proxy should validate incoming requests before forwarding them to Gemini.
Recommended checks:
- Allowed model list
- Maximum request body size
- Maximum output tokens
- Allowed MIME types
- Expected request schema
- Origin and session consistency
- Abuse scoring or bot detection
If the application is behind Cloudflare or another edge provider, consider adding WAF rules to block suspicious traffic.
Example signals:
Path contains: /api-proxy
User-Agent equals: Go-http-client/2.0
Request body size unusually large
Requests from known data center IP ranges
High request frequency from a single IP
CORS alone is not sufficient, because CORS only protects browser-based access. Server-side scripts can still call the endpoint directly.
Developers should immediately review:
Google Cloud Billing
Cloud Run request logs
Generative Language API usage
API quota dashboards
Useful log filters may include:
/api-proxy
generateContent
Go-http-client
200 OK
A safer architecture should look like this:
Browser
↓
Application backend with authentication
↓
Authorization, rate limiting, validation
↓
Gemini API
The backend should verify the user before forwarding any request to Gemini.
The proxy should never behave as a public unauthenticated pass-through to a billable API.
2026-05-08: Unusual Cloud Run activity and billing risk identified.
2026-05-08: Cloud Run logs reviewed; unauthenticated /api-proxy abuse confirmed.
2026-05-08: Abuse indicators observed, including automated Go client requests.
2026-XX-XX: Vulnerability report submitted to Google Bug Hunters.
2026-XX-XX: Public disclosure prepared to warn affected developers.
This disclosure is intended to help developers identify and mitigate unintended public exposure in applications generated by Google AI Studio.
The goal is to reduce harm, prevent unexpected billing incidents, and encourage a safer default deployment model.
This report does not encourage unauthorized testing, scanning, exploitation, or abuse of third-party deployments.
This document is provided for security research, defensive engineering, and developer awareness purposes only.
Do not test, scan, exploit, or interact with systems that you do not own or do not have explicit permission to assess.
The author is not responsible for misuse of the information contained in this document.