Cybersecurity researchers say a flaw in Google Cloud’s Vertex AI platform could let an attacker turn an AI agent into a covert access path to sensitive data, including Google Cloud Storage buckets and private Artifact Registry content, according to a technical analysis by Palo Alto Networks Unit 42.
KEY FACTS
- Issue Vertex AI’s default service agent permissions were described as overly broad.
- Impact Stolen credentials could let an attacker move from the AI agent context into a customer project.
- Data exposure Researchers said this could allow read access to Google Cloud Storage data.
- Internal access The same credentials also exposed some restricted Google-owned Artifact Registry repositories.
The disclosure said the problem centers on the Per-Project, Per-Product Service Agent tied to a deployed AI agent built with Vertex AI’s Agent Development Kit. After deployment through Agent Engine, calls to the agent exposed service agent credentials, the hosting project, the AI agent identity and the machine scopes.
Unit 42 said it used the credentials to jump from the AI agent execution context into the customer project, which undermined isolation between the agent and customer resources. In its testing, that permitted unrestricted read access to all Google Cloud Storage buckets in the project.
The report also said the credentials provided access to a Google-managed tenant project and to restricted Artifact Registry repositories that were revealed during deployment. Those repositories included container images associated with the Vertex AI Reasoning Engine, and some of the images were not listed in deployment logs.
Google has updated its documentation on Vertex AI access control and recommended that customers use Bring Your Own Service Account and limit permissions to the minimum needed. The company also said customers should apply least privilege controls when deploying AI agents.
WHY IT MATTERS
The finding highlights how AI agents can become a cloud security risk if default permissions are too broad. It also shows how misconfigured access controls can expose both customer data and internal software components.