

























A newly disclosed vulnerability in Google Cloud Vertex AI could have allowed attackers to hijack machine learning model uploads and execute malicious code in victim environments, according to research shared with Google under responsible disclosure.
The issue affects the Vertex AI Python SDK (google-cloud-aiplatform) and stems from a combination of predictable cloud storage bucket naming and missing ownership validation.
Unit42 researchers confirmed that vulnerable versions 1.139.0 and 1.140.0 exposed organizations to model poisoning and remote code execution (RCE) risks without requiring any initial access to the victim’s cloud project.
Vertex AI is widely used for building and deploying machine learning models. When developers upload models using the SDK, artifacts are temporarily staged in a Google Cloud Storage (GCS) bucket before deployment.
The flaw occurs when users do not specify a staging bucket, causing the SDK to generate one using a predictable naming pattern.
The SDK verifies only whether the bucket exists, not whether it belongs to the intended project, creating an opportunity for bucket hijacking.
This behavior enables a technique known as “bucket squatting,” where an attacker pre-creates the expected bucket name in their own project. As a result, the victim’s model artifacts are silently uploaded to attacker-controlled infrastructure.

Unit42 researchers dubbed the exploitation method “Pickle in the Middle,” as it leverages Python’s pickle deserialization to achieve code execution.
The attack unfolds in several stages:
This process occurs within a narrow race window of approximately 2.5 seconds, allowing the attacker to swap the model before it is consumed by Google’s service agent.

Successful exploitation enables full remote code execution inside Vertex AI serving environments. In proof-of-concept testing, attackers were able to:
Notably, the compromised credentials carried broad cloud-platform scope, significantly increasing the blast radius of the attack.
According to Unit 42 researchers at Palo Alto Networks, the vulnerability stems from the SDK’s staging logic in the gcs_utils.py module, where bucket names are generated predictably and validated only for existence, without verifying ownership.
This design flaw allowed cross-project resource abuse, effectively breaking isolation between tenants.
Google addressed the issue in multiple updates. A first fix introduced randomized bucket naming using UUIDs, while a second patch added explicit bucket ownership verification.
The vulnerabilities were fully resolved in version 1.148.0, released on April 15, 2026.
Developers are strongly advised to:
The vulnerability was reported through Google’s Vulnerability Reward Program and assigned high severity. Google deployed fixes rapidly following disclosure in March 2026.
Security experts highlight this issue as a critical example of risks emerging in AI/ML pipelines, where supply chain-style attacks can target model artifacts rather than traditional software components.
Organizations using managed AI platforms are encouraged to adopt stricter controls around storage, identity, and model validation to prevent similar attacks.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。