A newly disclosed vulnerability in Google Cloud Vertex AI<\/a> could have allowed attackers to hijack machine learning model uploads and execute malicious code in victim environments, according to research shared with Google under responsible disclosure.<\/p>\n The issue affects the Vertex AI Python SDK (google-cloud-aiplatform) and stems from a combination of predictable cloud storage bucket naming and missing ownership validation.<\/p>\n Unit42 researchers confirmed that vulnerable versions 1.139.0 and 1.140.0 exposed organizations to model poisoning and remote code execution (RCE) risks without requiring any initial access to the victim\u2019s cloud project.<\/p>\n Vertex AI is widely used for building and deploying machine learning models. When developers upload models using the SDK, artifacts are temporarily staged in a Google Cloud Storage (GCS) bucket<\/a> before deployment.<\/p>\n The flaw occurs when users do not specify a staging bucket, causing the SDK to generate one using a predictable naming pattern.<\/p>\n The SDK verifies only whether the bucket exists, not whether it belongs to the intended project, creating an opportunity for bucket hijacking.<\/p>\n This behavior enables a technique known as \u201cbucket squatting,\u201d where an attacker pre-creates the expected bucket name in their own project. As a result, the victim\u2019s model artifacts are silently uploaded to attacker-controlled infrastructure.<\/p>\n Unit42 researchers dubbed the exploitation method \u201cPickle in the Middle,\u201d as it leverages Python\u2019s pickle deserialization<\/a> to achieve code execution.<\/p>\n The attack unfolds in several stages:<\/strong><\/p>\n This process occurs within a narrow race window of approximately 2.5 seconds, allowing the attacker to swap the model before it is consumed by Google\u2019s service agent.<\/p>\n Successful exploitation enables full remote code execution inside Vertex AI serving environments. In proof-of-concept testing, attackers were able to:<\/p>\n Notably, the compromised credentials carried broad cloud-platform scope, significantly increasing the blast radius of the attack.<\/p>\n According to Unit 42 researchers at Palo Alto Networks<\/a>, the vulnerability stems from the SDK\u2019s staging logic in the This design flaw allowed cross-project resource abuse, effectively breaking isolation between tenants.<\/p>\n Google addressed the issue in multiple updates. A first fix introduced randomized bucket naming using UUIDs, while a second patch added explicit bucket ownership verification.<\/p>\n The vulnerabilities were fully resolved in version 1.148.0, released on April 15, 2026.<\/p>\n Developers are strongly advised to:<\/p>\n The vulnerability was reported through Google\u2019s Vulnerability Reward Program and assigned high severity. Google deployed fixes rapidly following disclosure in March 2026.<\/p>\n Security experts highlight this issue as a critical example of risks emerging in AI\/ML pipelines, where supply chain-style attacks can target model artifacts rather than traditional software components.<\/p>\n Organizations using managed AI platforms are encouraged to adopt stricter controls around storage, identity, and model validation to prevent similar attacks.<\/p>\n CISO & Security Leaders: Your next breach may not have a face. Join ISC2\u2019s LIVE webinar, \u201cGhost in the Machine\u201d \u2013 Book Your Spot Here<\/a><\/strong><\/p>\n The post Google Cloud Vertex AI Allows Attacker to Hijack Victim\u2019s Model and Poison it<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGoogle Vertex AI Hijack<\/strong><\/h2>\n
![\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCoWrhlOaw56_KkAAvojUiHwbN1_uxBU5Wun9q3kLBGGyb0_psDhCxVXr30nnQ_HOnVODJ-KhK37ggO_Wccs3hr5E6clJR60Dx132MCiYIPKs08EnckHBYXztpDGcWZBwtFZNt_t_Y9kt_3EzYat_nzUqlpj9kR7bnWkXVbxW6KSVRNH0Y2iT8Da4Kn1I\/s1600\/Screenshot%25202026-06-17%2520193121%2520%25281%2529.webp?ssl=1\")
\n
![\"Change](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghBEBw03ecwcN549oN9VZwteEb6mrLEjjcw29qW9D6WdM3cs9tZIEC6Pslt3t69BIjXUFeFz99y5IuLLfG7HiHOpF9AhYkp-7lAccc6epvsQsY_80Yx1XxA2BpFmcPTYwoRSfkCh78mIORkcuZlpPMh5EnEQss68qSYGqJghgkLQa6CcPNpqGaIOpgXc8\/s1600\/Screenshot%25202026-06-17%2520193131%2520%25281%2529.webp?ssl=1\")
\n
gcs_utils.py<\/code> module, where bucket names are generated predictably and validated only for existence, without verifying ownership.<\/p>\nFix and Mitigation<\/strong><\/h2>\n
\n