Firefly CORS Exploit PoC — H1 Adobe BBP (lucasfutures)

🔓 Adobe Firefly CORS Misconfiguration — Live PoC

Researcher: lucasfutures (HackerOne) • Program: Adobe BBP • Date: 2026-04-15 • Test origin:

Vulnerability: firefly.adobe.io and related Firefly AI hosts reflect any Origin header as Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true. Any web page on any origin can make authenticated cross-origin requests to Firefly AI APIs using a victim's logged-in credentials and read the full response.

1 · Instant proof (runs automatically on page load)

The JavaScript below fetches 7 Firefly AI endpoints cross-origin. Each crossOriginReadSucceeded: true row means the browser allowed this attacker-origin page to read the response — which is only possible if Adobe's server explicitly returns permissive CORS headers.

2 · Why this is exploitable

Victim is authenticated to stock.adobe.com, firefly.adobe.com, or any other Adobe site that uses Firefly backends (IMS session cookie in their browser)

Victim visits attacker-controlled site () via phishing or malvertising

Attacker page calls fetch('https://firefly.adobe.io/...', {credentials:'include'})

Browser sends victim's Adobe cookies (IMS session) with the request

Adobe's server processes the authenticated request AND returns Access-Control-Allow-Origin: <attacker origin> + Allow-Credentials: true

Attacker page reads the authenticated response body — AI generation history, stored prompts, rendition URLs, generative credit consumption, and all exposed headers

3 · Proof that CORS reflects arbitrary origins

$ curl -sI -X OPTIONS 'https://firefly.adobe.io/v2/images/generate' \ -H 'Origin: https://lucas-hackerone.com' \ -H 'Access-Control-Request-Method: POST' HTTP/2 200 access-control-allow-origin: https://lucas-hackerone.com access-control-allow-credentials: true access-control-allow-methods: GET,HEAD,OPTIONS access-control-allow-headers: x-api-key,authorization,content-type access-control-max-age: 86400 access-control-expose-headers: *

4 · Affected endpoints (verified)

Host	Path	CORS reflected?
firefly.adobe.io	/v2/images/generate	✅ Yes
firefly.adobe.io	/v2/images/fill	✅ Yes
firefly.adobe.io	/v2/storage/image	✅ Yes
firefly.adobe.io	/spl	✅ Yes
firefly-clio-imaging.adobe.io	/v2/images/generate	✅ Yes
firefly-st.adobe.io	/spl	✅ Yes
firefly-ae.adobe.io	/spl	✅ Yes

Host

Path

CORS reflected?

firefly.adobe.io

/v2/images/generate

✅ Yes

firefly.adobe.io

/v2/images/fill

✅ Yes

firefly.adobe.io

/v2/storage/image

✅ Yes

firefly.adobe.io

/spl

✅ Yes

firefly-clio-imaging.adobe.io

/v2/images/generate

✅ Yes

firefly-st.adobe.io

/spl

✅ Yes

firefly-ae.adobe.io

/spl

✅ Yes

5 · Impact

Data exposure: Attacker reads victim's AI generation history, stored prompts, rendition URLs, custom models

Financial loss: Attacker consumes victim's generative credits by triggering expensive AI generations (Firefly credits are paid)

Session abuse: Full AI Studio API access as the victim

Works from sandboxed iframes: Origin: null is also reflected — exploit still works from sandbox'd ads