A newly disclosed vulnerability in Google Cloud Vertex AI could have allowed attackers to hijack machine learning model uploads and execute malicious code in victim environments, according to research shared with Google under responsible disclosure.
The issue affects the Vertex AI Python SDK (google-cloud-aiplatform) and stems from a combination of predictable cloud storage bucket naming and missing ownership validation.
Unit42 researchers confirmed that vulnerable versions 1.139.0 and 1.140.0 exposed organizations to model poisoning and remote code execution (RCE) risks without requiring any initial access to the victim’s cloud project.
Vertex AI is widely used for building and deploying machine learning models. When developers upload models using the SDK, artifacts are temporarily staged in a Google Cloud Storage (GCS) bucket before deployment.
Google Vertex AI Hijack
The flaw occurs when users do not specify a staging bucket, causing the SDK to generate one using a predictable naming pattern.
The SDK verifies only whether the bucket exists, not whether it belongs to the intended project, creating an opportunity for bucket hijacking.
This behavior enables a technique known as “bucket squatting,” where an attacker pre-creates the expected bucket name in their own project. As a result, the victim’s model artifacts are silently uploaded to attacker-controlled infrastructure.
Unit42 researchers dubbed the exploitation method “Pickle in the Middle,” as it leverages Python’s pickle deserialization to achieve code execution.
The attack unfolds in several stages:
- The attacker predicts the victim’s default bucket name and creates it in their own project with permissive access controls.
- When the victim uploads a model, the SDK unknowingly sends artifacts to the attacker’s bucket.
- A malicious cloud function detects the upload and replaces the model file within milliseconds.
- The poisoned model is later deployed by Vertex AI infrastructure.
- During model loading, pickle deserialization executes attacker-controlled code.
This process occurs within a narrow race window of approximately 2.5 seconds, allowing the attacker to swap the model before it is consumed by Google’s service agent.
Successful exploitation enables full remote code execution inside Vertex AI serving environments. In proof-of-concept testing, attackers were able to:
- Extract service account tokens from the metadata server.
- Access other models stored in the same tenant environment.
- Enumerate BigQuery datasets and permissions.
- Gather internal infrastructure details from cloud logs.
Notably, the compromised credentials carried broad cloud-platform scope, significantly increasing the blast radius of the attack.
According to Unit 42 researchers at Palo Alto Networks, the vulnerability stems from the SDK’s staging logic in the gcs_utils.py module, where bucket names are generated predictably and validated only for existence, without verifying ownership.
This design flaw allowed cross-project resource abuse, effectively breaking isolation between tenants.
Fix and Mitigation
Google addressed the issue in multiple updates. A first fix introduced randomized bucket naming using UUIDs, while a second patch added explicit bucket ownership verification.
The vulnerabilities were fully resolved in version 1.148.0, released on April 15, 2026.
Developers are strongly advised to:
- Upgrade to Google Cloud AI Platform version 1.148.0 or later.
- Explicitly define staging buckets instead of relying on defaults.
- Monitor model integrity during upload and deployment workflows.
The vulnerability was reported through Google’s Vulnerability Reward Program and assigned high severity. Google deployed fixes rapidly following disclosure in March 2026.
Security experts highlight this issue as a critical example of risks emerging in AI/ML pipelines, where supply chain-style attacks can target model artifacts rather than traditional software components.
Organizations using managed AI platforms are encouraged to adopt stricter controls around storage, identity, and model validation to prevent similar attacks.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here
