CyberSecurity News

Google Cloud Vertex AI Flaw: Attacker Hijacks Allows Victim’s

A newly disclosed vulnerability in Google Cloud Vertex AI posed a significant risk, potentially allowing attackers to hijack machine learning model uploads and execute malicious code within victim...

Sarah simpson
Sarah simpson
June 17, 2026 3 Min Read
5 0

A newly disclosed vulnerability in Google Cloud Vertex AI posed a significant risk, potentially allowing attackers to hijack machine learning model uploads and execute malicious code within victim environments. This finding emerged from research shared with Google under responsible disclosure.

The issue affects the Vertex AI Python SDK (google-cloud-aiplatform) and stems from a combination of predictable cloud storage bucket naming and missing ownership validation.

Unit42 researchers confirmed that vulnerable versions 1.139.0 and 1.140.0 exposed organizations to model poisoning and remote code execution (RCE) risks without requiring any initial access to the victim’s cloud project.

Vertex AI is widely used for building and deploying machine learning models. When developers upload models using the SDK, artifacts are temporarily staged in a Google Cloud Storage (GCS) bucket before deployment.

Google Vertex AI Hijack

The flaw occurs when users do not specify a staging bucket, causing the SDK to generate one using a predictable naming pattern.

The SDK verifies only whether the bucket exists, not whether it belongs to the intended project, creating an opportunity for bucket hijacking.

This behavior enables a technique known as “bucket squatting,” where an attacker pre-creates the expected bucket name in their own project. As a result, the victim’s model artifacts are silently uploaded to attacker-controlled infrastructure.

Attack chain flow (Source: Unit 42)
Attack chain flow (Source: Unit 42)

Unit42 researchers dubbed the exploitation method “Pickle in the Middle,” as it leverages Python’s pickle deserialization to achieve code execution.

The attack unfolds in several stages:

  • The attacker predicts the victim’s default bucket name and creates it in their own project with permissive access controls.
  • When the victim uploads a model, the SDK unknowingly sends artifacts to the attacker’s bucket.
  • A malicious cloud function detects the upload and replaces the model file within milliseconds.
  • The poisoned model is later deployed by Vertex AI infrastructure.
  • During model loading, pickle deserialization executes attacker-controlled code.

This process occurs within a narrow race window of approximately 2.5 seconds, allowing the attacker to swap the model before it is consumed by Google’s service agent.

Change log for the first fix. Source: GitHub.(source : Unit 42)
Change log for the first fix. Source: GitHub.(source : Unit 42)

Successful exploitation enables full remote code execution inside Vertex AI serving environments. In proof-of-concept testing, attackers were able to:

  • Extract service account tokens from the metadata server.
  • Access other models stored in the same tenant environment.
  • Enumerate BigQuery datasets and permissions.
  • Gather internal infrastructure details from cloud logs.

Notably, the compromised credentials carried broad cloud-platform scope, significantly increasing the blast radius of the attack.

According to Unit 42 researchers at Palo Alto Networks, the vulnerability stems from the SDK’s staging logic in the gcs_utils.py module, where bucket names are generated predictably and validated only for existence, without verifying ownership.

This design flaw allowed cross-project resource abuse, effectively breaking isolation between tenants.

Fix and Mitigation

Google addressed the issue in multiple updates. A first fix introduced randomized bucket naming using UUIDs, while a second patch added explicit bucket ownership verification.

The vulnerabilities were fully resolved in version 1.148.0, released on April 15, 2026.

Developers are strongly advised to:

  • Upgrade to Google Cloud AI Platform version 1.148.0 or later.
  • Explicitly define staging buckets instead of relying on defaults.
  • Monitor model integrity during upload and deployment workflows.

The vulnerability was reported through Google’s Vulnerability Reward Program and assigned high severity. Google deployed fixes rapidly following disclosure in March 2026.

Security experts highlight this issue as a critical example of risks emerging in AI/ML pipelines, where supply chain-style attacks can target model artifacts rather than traditional software components.

Organizations using managed AI platforms are encouraged to adopt stricter controls around storage, identity, and model validation to prevent similar attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts