{"id":9962,"date":"2026-01-18T10:03:40","date_gmt":"2026-01-18T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/18\/googles-vertex-ai-vulnerability-enables-low-privileged-users-to-gain-service-agent-roles\/"},"modified":"2026-01-18T10:03:40","modified_gmt":"2026-01-18T10:03:40","slug":"googles-vertex-ai-vulnerability-enables-low-privileged-users-to-gain-service-agent-roles","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/18\/googles-vertex-ai-vulnerability-enables-low-privileged-users-to-gain-service-agent-roles\/","title":{"rendered":"Google\u2019s Vertex AI Vulnerability Enables Low-Privileged Users to Gain Service Agent Roles"},"content":{"rendered":"<p>    Google\u2019s Vertex AI Vulnerability Enables Low-Privileged Users to Gain Service Agent Roles<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Google\u2019s Vertex AI contains default configurations that allow low-privileged users to escalate privileges by hijacking Service Agent roles.<\/p>\n<p>XM Cyber researchers identified two attack vectors in the Vertex AI Agent Engine and Ray on Vertex AI, which Google deemed \u201cworking as intended.<\/p>\n<p>Service Agents are managed identities that Google Cloud attaches to Vertex AI instances for internal operations. These accounts receive broad project permissions by default, creating risks when low-privileged users access them.<\/p>\n<p>Attackers exploit this through confused deputy scenarios, where minimal access grants remote code execution (RCE) and allows credential theft from instance metadata.<\/p>\n<p>Both paths start with read-only permissions but end with high-privilege actions, such as accessing <a href=\"https:\/\/cybersecuritynews.com\/cloud-storage-vs-local-storage-which-one-should-you-choose-for-digitizing-documents\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cloud Storage<\/a> (GCS) or BigQuery. The diagram illustrates the Ray on Vertex AI flow, from persistent resources access to the Custom Code Service Agent compromise.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhAS91AJB8-iH1Ipfo7Mgk3DzanTGbkReQPQDCQfT26kXY_9dM94bE_1CFcQ2Zr6X2nzsZ9ogvGD1OdtSEh2njcAKXibRNwKjqdsSW5dsv4M3NijvfGWMArY-PdTcVj3ZTGJ-IKtUf75zVY8Ly0fYT5Be0s_H4X5Guu2EuneDBAM39153L_Pl9rcSULnFFx\/s16000\/diagram1-v2.webp?ssl=1\" alt=\"Google\u2019s Vertex AI Vulnerability\"><\/figure>\n<\/div>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Feature<\/th>\n<th>Vertex AI Agent Engine<\/th>\n<th>Ray on Vertex AI<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Primary Target<\/td>\n<td>Reasoning Engine Service Agent<\/td>\n<td>Custom Code Service Agent<\/td>\n<\/tr>\n<tr>\n<td>Vulnerability Type<\/td>\n<td>Malicious Tool Call (RCE)<\/td>\n<td>Insecure Default Access (Viewer to Root)<\/td>\n<\/tr>\n<tr>\n<td>Initial Permission<\/td>\n<td>aiplatform.reasoningEngines.update<\/td>\n<td>aiplatform.persistentResources.get\/list<\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>LLM memories, chats, GCS access<\/td>\n<td>Ray cluster root; BigQuery\/GCS R\/W <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"agent-engine-tool-injection\"><strong>Agent Engine Tool Injection<\/strong><\/h2>\n<p>Developers deploy AI agents via frameworks like Google\u2019s Agent Development Kit (ADK), which pickles Python code and stages it in GCS buckets. Attackers with aiplatform.reasoningEngines.update permission upload malicious code disguised as a tool, such as a reverse shell in a currency converter function.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCORHAG608Chfoqvne8wZS_g-PzsDi0aQMVEHLjF3Hh6Yv1y5kdtOlQOUcD89uNE9aOQU9n7QvLu5Z2F1W4pZEDly5Mwcx1QGFScy0Hag4IWrkt9CYDPoi5KV6f1eOXZoXFeDgDFpH2ocpkt6WRznTB5ynCgBkxKYVO9jXQy155v9M6P7g9sTel-w_H4JY\/s16000\/Vul1.webp?ssl=1\" alt=\"Google\u2019s Vertex AI Vulnerability\"><figcaption class=\"wp-element-caption\">Vulnerability Chain<\/figcaption><\/figure>\n<p>A query triggers the tool, executing the shell on the reasoning engine instance. Attackers then query metadata for the Reasoning Engine Service Agent token (service-&lt;project&gt;@gcp-sa-aiplatform-re.iam.gserviceaccount.com), gaining permissions for memories, sessions, storage, and logging. This reads chats, LLM data, and buckets. Public buckets work as staging, needing no storage rights, XM Cyber <a href=\"https:\/\/xmcyber.com\/blog\/double-agent-service-agent-privilege-escalation-in-google-vertex-ai\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">said<\/a>.<\/p>\n<p>Ray clusters for scalable AI workloads attach the Custom Code Service Agent to the head node automatically. Users with aiplatform.persistentResources.list\/get part of Vertex AI Viewer role access the GCP Console\u2019s \u201cHead node interactive shell\u201d link.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiyQcWpQXOtmu-5ilteqoClXF_GLPn1txXjGP8eqbxw3WR9sMLcG9grMvz77RquMH5lXNx5BnzsINSI3J2e0awuQ3uW_xEWIObX9i7oGU-7NR0adeKUWPQldGN1bJUbipVxT2zqYV5bMTwDAVDg4C5gKiZwXmBOiN6SX0p33eUlsKC8pbvM6CR7vLYV78oP\/s16000\/vuln2.webp?ssl=1\" alt=\"Google\u2019s Vertex AI Vulnerability\"><figcaption class=\"wp-element-caption\">Vulnerability Chain<\/figcaption><\/figure>\n<p>This grants root shell access despite viewer limits. Attackers extract the agent\u2019s token via metadata, enabling GCS\/BigQuery read-write, though <a href=\"https:\/\/cybersecuritynews.com\/identity-management-solutions\/\" target=\"_blank\" rel=\"noreferrer noopener\">IAM actions<\/a> like signBlob are scoped-limited in tests. The second diagram shows the pivot to cloud storage and logging.<\/p>\n<p>Revoke unnecessary Service Agent permissions using custom roles. Disable head node shells and validate tool code before updates. Monitor metadata accesses via Security Command Center\u2019s Agent Engine Threat Detection, which flags RCE and token grabs.<\/p>\n<p>Audit persistent resources and reasoning engines regularly. Enterprises adopting Vertex AI must treat these defaults as risks, not features.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/google-vertex-ai-vulnerability\/\">Google\u2019s Vertex AI Vulnerability Enables Low-Privileged Users to Gain Service Agent Roles<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/google-vertex-ai-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google\u2019s Vertex AI Vulnerability Enables Low-Privileged Users to Gain Service Agent Roles Google\u2019s Vertex AI contains default configurations that allow low-privileged users to escalate privileges by hijacking Service Agent roles. XM Cyber researchers identified two attack vectors in the Vertex AI Agent Engine and Ray on Vertex AI, which Google deemed \u201cworking as intended. Service [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-9962","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9962"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9962"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9962\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9962"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}