Cloudinary offers multiple upload methods, some of them are server-side signed-uploads and some are unsigned.
When using unsigned upload, one security consideration needs to be taken into account.
If the upload preset name is known to someone who is not part of the internal team then it can be used with a different cloudinary account to have resources uploaded to the original account.
Note that in any case, using the preset doesn't give anyone the permission to edit, override, delete or do any harm to your own content.
In case a preset name was compromised the below actions can be taken to ensure the account is safe again:
- Changing the upload-preset name to a new one.
- Remove any uploads which do not originally belong to the account
- Move to signed uploads instead of unsigned.