A security researcher revealed that over 30,000 Fiverr PDF task files were indexed by Google after public-facing Cloudinary URLs used by Fiverr were left accessible without expiration or authentication. Fiverr did not acknowledge the report for more than 40 days, and because the issue did not receive a CVE or CERT identifier the researcher published the findings, making sensitive client documents publicly discoverable. #Fiverr #Cloudinary
Keypoints
- More than 30,000 Cloudinary links to Fiverr PDF deliverables were indexed by Google Search.
- The exposed PDFs include sensitive client data and forms containing taxpayer information.
- Fiverrβs implementation used public, non-expiring Cloudinary URLs that required no authentication.
- The researcherβs vulnerability report went unacknowledged for over 40 days and the issue remains unresolved.
- No CVE or CERT was assigned, leading the researcher to publish the findings and make the files publicly accessible.
Read More: https://securityonline.info/fiverr-data-exposure-cloudinary-pdf-leak-2026/