A flaw in Google’s Vertex AI SDK for Python let an attacker with no access to a victim’s project hijack model uploads and run code inside Google’s serving infrastructure, according to a technical analysis by Palo Alto Networks Unit 42. Google patched the issue, and the researchers said they saw no evidence of exploitation in the wild.
KEY FACTS
- Attack path The flaw let an attacker squat on a predictable Cloud Storage bucket name tied to a victim’s project ID and region.
- Access needed The attacker needed only their own Google Cloud project and the victim’s public project ID.
- Impact A swapped model file could execute code when Vertex AI loaded it, then steal an OAuth token from the serving container.
- Fix Google said users should update to Vertex AI SDK version 1.148.0 or later.
The bug was in how the SDK chose a temporary bucket for model uploads when developers left the staging bucket unset. If the expected bucket did not already exist, the SDK generated a predictable name and checked for existence, but not ownership. Because bucket names are globally unique, an attacker could create the bucket first in their own project and receive the victim’s upload.
Once the model file landed in the attacker’s bucket, it could be replaced before Vertex AI read it. The report said many Python machine learning models use pickle or joblib, formats that can execute code when loaded. In Unit 42’s proof of concept, a Cloud Function swapped the file in about 1.4 seconds, before Vertex AI’s roughly 2.5-second read window expired.
The payload then stole an OAuth token from the container metadata server. In the test setup, that token could reach other model artifacts and tenant data in the same Google-managed environment, including TensorFlow model files, BigQuery metadata, access lists, tenant logs, GKE cluster names and internal image paths. The attack worked only when the default staging bucket was absent in the region and the developer had not set a custom bucket.
Unit 42 reported the issue through Google’s bug bounty program on March 5, 2026. Google added a random UUID to the bucket name in version 1.144.0 on March 31 and completed the fix in version 1.148.0 on April 15 with an ownership check in Model.upload().
WHY IT MATTERS
The flaw shows how a default setting in a client SDK can create a cross-tenant security risk even without direct access to a target project. Google advised users to update the SDK and set an explicit staging bucket they control when uploading models.