Critical Vertex AI SDK Flaw Enabled Cross-Tenant RCE via Model Upload Hijacking
Palo Alto Networks Unit 42 disclosed a critical vulnerability in the Google Cloud Vertex AI SDK for Python that allowed attackers to hijack model uploads and achieve cross-tenant remote code execution in Vertex AI serving infrastructure. The issue affected google-cloud-aiplatform versions 1.139.0 and 1.140.0 and was caused by a predictable default staging bucket name and missing ownership verification during the SDK’s staging process. With only their own Google Cloud project and a victim’s project ID, an attacker could pre-create the expected bucket, intercept uploaded model artifacts, and swap in a malicious file during an approximately 2.5-second race window.
The attack abused Python pickle/joblib deserialization so that malicious code ran when the victim later deployed the poisoned model. Unit 42 said the technique could expose service account credentials from the serving environment and provide access to tenant-project resources including other model artifacts, BigQuery metadata, and Cloud Logging data. Google accepted the report and released fixes in versions 1.144.0 and 1.148.0; defenders are advised to upgrade to 1.148.0 or later and explicitly configure a staging bucket where appropriate.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Google accepted the report and released fixes in SDK versions 1.144.0 and 1.148.0
According to Unit 42, Google accepted the vulnerability report and issued fixes for the affected Vertex AI SDK for Python. The remediation was released in versions 1.144.0 and 1.148.0, and users were advised to upgrade to version 1.148.0 or later.
Unit 42 demonstrated RCE via poisoned Vertex AI model artifacts
Unit 42 showed that an attacker could replace uploaded model artifacts within an approximately 2.5-second race window using a Cloud Function, then abuse Python pickle/joblib deserialization when the victim deployed the model. The proof of concept achieved code execution in Vertex AI serving infrastructure and enabled exfiltration of service account credentials and access to tenant-project resources.
Google Cloud Vertex AI SDK flaw enabled cross-tenant model upload hijacking
Unit 42 disclosed a critical vulnerability in the Google Cloud Vertex AI SDK for Python affecting google-cloud-aiplatform versions 1.139.0 and 1.140.0. The issue combined a predictable default staging bucket name with missing ownership verification, allowing attackers to squat the expected bucket and hijack victim model uploads for eventual remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting
thehackernews.com
Open sourcePickle in the Middle - Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
unit42.paloaltonetworks.com
Open sourcefix: Add bucket ownership verification to prevent bucket squatting in… · googleapis/python-aiplatform@9feda02 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vertex AI flaw let agent credentials expose Google Cloud data and private artifacts
Palo Alto Networks Unit 42 disclosed a weakness in **Google Cloud Vertex AI** that could let attacker-controlled AI agents extract credentials from the platform’s Per-Project, Per-Product Service Agent (`P4SA`) and use them to access customer resources. The issue affects deployments built with the **Agent Development Kit** through **Agent Engine**, where excessive default permissions weakened isolation between the AI agent runtime and the customer’s Google Cloud project. Researchers said exposed service-agent credentials could be abused to gain broad read access to **Google Cloud Storage** data and to view restricted Google-owned **Artifact Registry** repositories linked to Vertex AI infrastructure. Unit 42 said the flaw also exposed details about internal Google infrastructure and potentially proprietary code associated with the **Vertex AI Reasoning Engine**. Researchers further warned that insecure Python `pickle` usage and broad, non-editable **OAuth 2.0** scopes could expand the blast radius beyond GCP into **Google Workspace** services such as Gmail, Google Calendar, and Google Drive. Google responded by updating its guidance and urging customers to adopt **Bring Your Own Service Account (BYOSA)** and least-privilege controls to reduce the risk.
Apr 1, 2026
Privilege Escalation in Vertex AI Enabled LLM Model Exfiltration
Palo Alto Networks Unit 42 disclosed **ModeLeak**, a security issue in Google Cloud **Vertex AI** that allowed an attacker to escalate privileges and exfiltrate hosted **large language models**. The report indicates the flaw affected the trust boundaries around managed AI services, creating a path from lower-privileged access to unauthorized retrieval of proprietary model assets stored or served through Vertex AI. The finding highlights a high-impact cloud AI risk: organizations using managed model platforms could face theft of valuable intellectual property if identity, access controls, and service permissions are misconfigured or insufficiently isolated. The disclosure underscores the need for defenders to review **IAM roles**, service account permissions, and model access paths in Vertex AI environments to prevent unauthorized access to hosted models and related AI resources.
Jun 17, 2026
Critical ChromaDB RCE Lets Attackers Hijack Exposed AI Servers
A maximum-severity remote code execution flaw in ChromaDB's Python FastAPI server, tracked as **CVE-2026-45829**, allows unauthenticated attackers to take over exposed instances by abusing an API endpoint that fetches and executes attacker-controlled model code from Hugging Face before authentication is enforced. HiddenLayer, which disclosed the issue under the name **ChromaToast Served Pre-Auth**, reported the bug to ChromaDB after finding that the vulnerable server-side code was introduced in version `1.0.0` and remained present through at least `1.5.8`, with the status of `1.5.9` unclear. The exposure is significant for AI application environments using ChromaDB as a vector database: HiddenLayer said about **73%** of internet-exposed Chroma instances identified via Shodan appeared to be running vulnerable versions. Deployments using ChromaDB locally without exposing the API server, or using the Rust front-end instead of the Python server, are not affected. Recommended mitigations include removing public access to the Python API server, restricting network access to the ChromaDB port, preferring the Rust front-end where possible, and scanning machine learning model artifacts before runtime.
May 21, 2026