High

Predictable bucket naming in Google Cloud Vertex AI Experiments

IdentifiersCVE-2026-2473CWE-340· Generation of Predictable Numbers…

CVE-2026-2473 is a bucket-squatting vulnerability in Google Cloud Vertex AI Experiments affecting Google Cloud Vertex AI from version 1.21.0 up to, but not including, 1.133.0. The issue arises from predictable Cloud Storage bucket naming used by the service or associated workflow, allowing an attacker to pre-create the expected bucket name in their own Google Cloud project before the legitimate tenant does. Because the bucket name is globally unique and predictably derived, the attacker can cause Vertex AI Experiment-related operations to interact with attacker-controlled storage. According to the provided content, successful exploitation can lead to cross-tenant remote code execution, model theft, and model poisoning.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to achieve cross-tenant compromise effects, specifically remote code execution in the affected workflow, theft of machine learning models or related artifacts, and poisoning or tampering with model data. Because the issue is cross-tenant, the impact extends beyond the attacker's own project boundary and can affect other Google Cloud customers using the vulnerable Vertex AI Experiments functionality.

Mitigation

If you can’t patch tonight, do this now.

Per the provided content, no customer action is needed because Google patched the issue. As a defense-in-depth measure, organizations can monitor for unexpected Cloud Storage buckets matching Vertex AI Experiment naming conventions and review controls around bucket creation and experiment-related storage usage, but the primary mitigation is the vendor-side fix.

Remediation

Patch, then assume compromise.

Google patched this vulnerability. The affected range is Google Cloud Vertex AI versions 1.21.0 through 1.132.x, with 1.133.0 and later not affected per the provided advisory data. The content also states that the vulnerability was patched by Google and that no customer action is needed. Where version management is applicable, ensure use of a fixed release at or above 1.133.0.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleGoogle-Cloud-Aiplatformapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Jun 16, 2026

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

A separate Vertex AI Experiments bucket-squatting vulnerability that allowed cross-tenant code execution, model theft, and poisoning.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-2473

NVD

nvd.nist.gov/vuln/detail/CVE-2026-2473

MITRE CWE · CWE-340

Generation of Predictable Numbers or Identifiers

docs.cloud.google.com

docs.cloud.google.com/support/bulletins