A significant security flaw was discovered in the Google Cloud Vertex AI SDK for Python, which allowed unauthorized users to hijack machine learning model uploads. This vulnerability, identified by Palo Alto Networks’ Unit 42, posed a threat to those using the SDK, enabling attackers to execute code within Google’s infrastructure. While no real-world exploitation has been reported, users are advised to update to version 1.148.0 or later.
Understanding the Vulnerability
The flaw, termed ‘Pickle in the Middle’ by Unit 42, was reported through Google’s bug bounty program. It allowed attackers with only a Google Cloud project and the target’s project ID to exploit the system. This ID is often publicly available, making the attack feasible without needing credentials or phishing attempts.
The issue originated from how the SDK handled temporary Cloud Storage bucket names for model uploads. If a user didn’t specify a bucket, the SDK created a predictable name using the project ID and region. Attackers could preemptively create a bucket with this name, leading the victim’s SDK to upload models to this malicious bucket instead.
Technical Details and Exploitation
The attack leveraged the fact that bucket names are globally unique. An attacker could replace the victim’s model with a compromised one. When Vertex AI subsequently loaded this model, malicious code could execute within the serving container. This depended on the swift execution of the attack, with a narrow window of approximately 2.5 seconds between the victim’s upload and the model being read by Vertex AI.
Upon successful exploitation, attackers could steal an OAuth token from the serving container’s metadata server. This token had broad access across the Google-managed tenant project, allowing potential access to sensitive data such as TensorFlow models, BigQuery metadata, and other internal resources.
Preventive Measures and Updates
The flaw was reported on March 5, 2026, with Google releasing an initial fix in version 1.144.0 on March 31, introducing a random uuid4 to bucket names. A complete fix was implemented in version 1.148.0 on April 15, adding a bucket ownership verification step to prevent bucket squatting during model uploads.
Users are strongly recommended to update to version 1.148.0 or later to activate these security measures. Additionally, specifying a staging bucket under user control when uploading models can mitigate risks. It is crucial to verify the google-cloud-aiplatform version across all environments, including CI jobs and training pipelines.
This incident marks the second time this year that a predictable bucket name vulnerability has been found in Vertex AI. A similar issue, CVE-2026-2473, was patched in February, addressing cross-tenant code execution risks.
As the cloud landscape continues to evolve, ensuring comprehensive security measures and prompt updates in AI development environments remain essential to safeguard sensitive data and infrastructure.
