A flaw in Google's API key system has reportedly exposed mobile applications to unintended access to its Gemini AI platform, according to CloudSEK, with the advisory published on 8 April 2026. The vulnerability stems from Google's long-standing API key format, which CloudSEK says could allow access to Gemini endpoints when the Gemini API is enabled in a Google Cloud project, without notification or user consent.
CloudSEK reportedly analysed 10,000 Android apps using its BeVigil platform, identifying 32 active keys across 22 applications, collectively accounting for more than 500 million installs. In one confirmed case, researchers accessed user-uploaded audio files from an English-learning app via the Gemini Files API, with metadata, timestamps and accessible links, indicating that private content could be retrieved using exposed keys.
The risks linked to the vulnerability include access to private files stored in Gemini, unauthorized API usage leading to financial losses, and service disruption through quota exhaustion, with examples of charges of $15,400 and losses of $128,000 reported by developers and organisations. Infosecurity has reached out to Google for comment on these findings but had not received a response at the time of publication.