Google Vertex AI Vulnerability Exposed in Python SDK

by ddos · June 18, 2026

Google Vertex AI vulnerability hijacked model illustration

Cloud machine learning platforms often conceal complex infrastructures behind a few lines of code. Unfortunately, this convenient automation created a dangerous vulnerability within the Google Vertex AI SDK for Python. Specialists from Palo Alto Networks Unit 42 discovered a critical flaw. This vulnerability allowed outsiders to intercept model uploads. They could then execute unauthorized code inside the Google infrastructure hosting these models.

The Risk of Predictable Storage Buckets

The problem emerged when developers failed to specify a custom Cloud Storage staging bucket. The SDK automatically generated a storage name using a predictable pattern. It combined the project identifier and regional data. Next, the system only verified the bucket’s existence without checking ownership. Cloud Storage bucket names are globally unique. Therefore, an attacker could preemptively create the anticipated storage bucket within their own project.

Deserialization and Malicious Code

Following this substitution, the victim’s SDK unknowingly sent model files to the hostile bucket. The attacker then swiftly replaced the uploaded model with a malicious version. This risk escalated due to a common Python practice. Developers frequently save models using pickle and joblib libraries. These specific files can execute arbitrary code during the loading and deserialization process. This execution happens if the file contains hidden malicious logic.

Unit 42 Demonstrates the Attack

Researchers from Unit 42 validated this scenario within a controlled test environment. In their report detailing how hijacking a Vertex AI model works, they observed a crucial timing window. Approximately 2.5 seconds elapsed between the model upload and Vertex AI reading the file. During their demonstration, a Cloud Function triggered immediately after the upload. It successfully swapped the model in just 1.4 seconds. Thus, the swap occurred before Vertex AI could access the original file. Subsequently, the compromised model stole an OAuth token from the hosting container’s metadata server.

Extensive Access and Impact

During the test, the stolen token unlocked extensive access. It exposed far more than just the compromised model deployment. Attackers could retrieve sensitive information about other model artifacts within the same Google-managed project. This access included a TensorFlow model containing trained weights. Furthermore, the token exposed BigQuery metadata, access control lists, and system logs. It even revealed GKE cluster names and internal paths for container images. Thankfully, Unit 42 found no evidence of active exploitation in the wild.

Mitigation and Remediation Steps

This attack required two specific conditions to succeed. First, the victim’s default staging bucket must not yet exist in the selected region. Second, the staging bucket parameter had to remain empty. Google received the vulnerability report on March 5, 2026. They swiftly mitigated the issue by adding random identifiers to bucket names in version 1.144.0. Finally, they completed the patch in version 1.148.0 on April 15. This definitive update introduced strict bucket ownership verification during the upload process.

Users of the Google Vertex AI SDK for Python must take immediate action. You should update your google-cloud-aiplatform library to version 1.148.0 or newer. Furthermore, always explicitly define your staging bucket within a controlled Cloud Storage environment. Finally, rigorously verify your SDK versions across all deployment areas. This includes interactive environments, continuous integration tasks, and automated model training processes.