A critical vulnerability was identified in Google Cloud’s Vertex AI, potentially allowing attackers to take control of machine learning model uploads and execute harmful code within victim environments. This flaw was uncovered by Unit42 researchers and responsibly disclosed to Google.
Vulnerability Details
The issue affects the Vertex AI Python SDK, specifically in versions 1.139.0 and 1.140.0, due to predictable cloud storage bucket naming coupled with inadequate ownership validation. This vulnerability could lead to model poisoning and remote code execution (RCE) without any initial access to the victim’s cloud project.
Vertex AI, a widely utilized platform for constructing and deploying machine learning models, stages artifacts temporarily in a Google Cloud Storage (GCS) bucket during model uploads. However, when no specific staging bucket is defined, the SDK automatically generates one using a predictable naming pattern, potentially leading to what researchers call ‘bucket squatting’ attacks.
Exploitation Mechanism
The vulnerability enables attackers to use ‘bucket squatting’ by pre-creating a bucket with the expected name in their own project. This allows model artifacts to be uploaded to attacker-controlled infrastructure without the victim’s knowledge.
Dubbed ‘Pickle in the Middle,’ this exploitation technique leverages Python’s pickle deserialization for code execution. The attacker predicts the bucket name, sets it up with permissive access, and waits for the victim’s model to be uploaded. A malicious function then swiftly replaces the model file, achieving code execution during the model loading process.
Impact and Resolution
Successful exploitation can lead to full remote code execution within Vertex AI environments, allowing attackers to extract sensitive tokens, access other models, and gather infrastructure details. This broad access raises significant security concerns.
Google addressed the vulnerability with updates that include randomizing bucket names using UUIDs and verifying explicit bucket ownership. These fixes were incorporated into version 1.148.0, released in April 2026.
Developers are urged to upgrade to the latest SDK version and explicitly define staging buckets. Additionally, monitoring model integrity during uploads and deployments is strongly recommended.
Security Implications
This incident underscores the emerging risks in AI/ML pipelines, where supply chain-like attacks can target model artifacts. Security experts stress the importance of robust controls over storage, identity management, and model validation to mitigate such threats.
Google’s rapid response and the subsequent fixes highlight the critical nature of securing AI platforms. Organizations are encouraged to implement stricter security measures to safeguard their AI models and infrastructure against similar vulnerabilities in the future.
