Vulnerability in Google Cloud Vertex AI SDK Enables Remote Code Execution
A recently discovered vulnerability in the Google Cloud Vertex AI SDK for Python allows an attacker to hijack a user’s model upload and execute arbitrary code. This finding was reported by Palo Alto Networks’ Unit 42 team, which responsibly disclosed the issue to Google before the release of a fix. The vulnerability primarily affects versions 1.139.0 and 1.140.0 of the SDK.
This security flaw stems from a predictable bucket naming convention combined with a lack of ownership verification in the SDK’s model upload process. When a user uploads a model without specifying a custom staging bucket, the SDK automatically creates a bucket based on the project ID and region. An attacker who knows the victim’s project ID can create this bucket in their own project—a tactic referred to as bucket squatting. As a result, when the victim uploads a model, it is unlawfully redirected to the attacker’s bucket, where the attacker can replace it with a malicious version carrying an executable payload. This exploitation leads to remote code execution within the victim’s cloud environment.
The attack methodology known as “Pickle in the Middle” leverages a vulnerability in Python’s pickle module, which is often used for object serialization in the machine learning framework. During the deserialization process, an attacker can craft a payload that runs arbitrary code, facilitating unauthorized access to sensitive data and potential lateral movement within the cloud infrastructure.
Defensive Context
Organizations using Google Cloud services, especially those relying on the Vertex AI SDK for Python, should be aware of this vulnerability. Those who have not updated to version 1.148.0 or later are particularly at risk. The mechanics of this attack do not require initial access to a victim’s project or social engineering tactics, making it a concerning threat for any organization that utilizes the SDK without full access controls.
Why This Matters
This vulnerability poses a significant risk to enterprises employing the Vertex AI SDK, especially those in sectors highly dependent on machine learning models, as it demonstrates how oversight in cloud services can lead to severe security incidents. The threat is real for organizations that do not specify a staging bucket, as they become susceptible to model poisoning and credential theft.
Defender Considerations
Immediate action involves upgrading the SDK to version 1.148.0 or higher to activate proper bucket ownership verification checks. Furthermore, developers are encouraged to explicitly specify a staging bucket during uploads, ensuring that control over model artifacts remains secure.
Indicators of Compromise (IOCs)
- Affected SDK Versions: google-cloud-aiplatform versions 1.139.0 and 1.140.0
- Fixed Versions: v1.148.0, released April 15, 2026
Organizations should integrate awareness of this vulnerability into their risk management strategies and security protocols for using cloud-based AI technologies.
