Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/Google’s Vertex AI Vulnerability Enables Low-Privileged Users to Gain Service Agent Roles
CyberSecurity News

Google’s Vertex AI Vulnerability Enables Low-Privileged Users to Gain Service Agent Roles

A significant vulnerability has been identified in Google’s Vertex AI platform. Rooted in default configurations, the flaw allows low-privileged users to escalate privileges by hijacking...

Sarah simpson
Sarah simpson
January 17, 2026 3 Min Read
33 0

A significant vulnerability has been identified in Google’s Vertex AI platform. Rooted in default configurations, the flaw allows low-privileged users to escalate privileges by hijacking Service Agent roles, presenting a notable security risk.

XM Cyber researchers identified two attack vectors in the Vertex AI Agent Engine and Ray on Vertex AI, which Google deemed “working as intended.

Service Agents are managed identities that Google Cloud attaches to Vertex AI instances for internal operations. These accounts receive broad project permissions by default, creating risks when low-privileged users access them.

Attackers exploit this through confused deputy scenarios, where minimal access grants remote code execution (RCE) and allows credential theft from instance metadata.

Both paths start with read-only permissions but end with high-privilege actions, such as accessing Cloud Storage (GCS) or BigQuery. The diagram illustrates the Ray on Vertex AI flow, from persistent resources access to the Custom Code Service Agent compromise.

Google’s Vertex AI Vulnerability
Feature Vertex AI Agent Engine Ray on Vertex AI
Primary Target Reasoning Engine Service Agent Custom Code Service Agent
Vulnerability Type Malicious Tool Call (RCE) Insecure Default Access (Viewer to Root)
Initial Permission aiplatform.reasoningEngines.update aiplatform.persistentResources.get/list
Impact LLM memories, chats, GCS access Ray cluster root; BigQuery/GCS R/W

Agent Engine Tool Injection

Developers deploy AI agents via frameworks like Google’s Agent Development Kit (ADK), which pickles Python code and stages it in GCS buckets. Attackers with aiplatform.reasoningEngines.update permission upload malicious code disguised as a tool, such as a reverse shell in a currency converter function.

Google’s Vertex AI Vulnerability
Vulnerability Chain

A query triggers the tool, executing the shell on the reasoning engine instance. Attackers then query metadata for the Reasoning Engine Service Agent token (service-<project>@gcp-sa-aiplatform-re.iam.gserviceaccount.com), gaining permissions for memories, sessions, storage, and logging. This reads chats, LLM data, and buckets. Public buckets work as staging, needing no storage rights, XM Cyber said.

Ray clusters for scalable AI workloads attach the Custom Code Service Agent to the head node automatically. Users with aiplatform.persistentResources.list/get part of Vertex AI Viewer role access the GCP Console’s “Head node interactive shell” link.

Google’s Vertex AI Vulnerability
Vulnerability Chain

This grants root shell access despite viewer limits. Attackers extract the agent’s token via metadata, enabling GCS/BigQuery read-write, though IAM actions like signBlob are scoped-limited in tests. The second diagram shows the pivot to cloud storage and logging.

Revoke unnecessary Service Agent permissions using custom roles. Disable head node shells and validate tool code before updates. Monitor metadata accesses via Security Command Center’s Agent Engine Threat Detection, which flags RCE and token grabs.

Audit persistent resources and reasoning engines regularly. Enterprises adopting Vertex AI must treat these defaults as risks, not features.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Argus – Python-powered Toolkit for Information Gathering and Reconnaissance

Next Post

Let’s Encrypt has made 6-day IP-based TLS certificates Generally Available

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us