◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-21

Google Vertex AI SDK 'Pickle in the Middle' — Bucket Squatting Enables Cross-Tenant RCE

VulnerabilityHigh impactGlobal
What happened
Palo Alto Networks Unit 42 discovered and responsibly disclosed a design flaw in Google Cloud's Vertex AI Python SDK (reported 2026-03-05, patched by 2026-04-15, publicly disclosed ~2026-06-16). Affected SDK versions 1.139.0 and 1.140.0 generated deterministic GCS staging bucket names without verifying bucket ownership. Combined with Python's unsafe pickle deserialization in ML model loading, an attacker could pre-claim the bucket, inject a malicious model artifact in a race-condition window, and achieve code execution inside Google's multi-tenant serving infrastructure. Unit 42 demonstrated exfiltration of OAuth tokens granting access to BigQuery metadata and other internal resources.
Why it matters
This attack requires no access to the victim's cloud project — only their public project ID and region. It demonstrates that ML model upload pipelines are a novel RCE surface: pickle deserialization in serving containers executes arbitrary code with cloud service-account permissions, undermining tenant isolation in managed AI platforms. The technique (naming-convention squatting + pickle RCE) is generalisable to other ML platforms that auto-generate predictable storage paths.
Attack vector
The Vertex AI Python SDK (versions 1.139.0–1.140.0) generates a predictable staging GCS bucket name from the victim's project ID and region (format: project-vertex-staging-region). An attacker with their own Google Cloud project pre-registers this bucket name (bucket squatting). When the victim uploads a model, the SDK silently uploads artifacts to the attacker's bucket. A Cloud Function triggers on upload and swaps the legitimate model for a malicious pickle/joblib payload within a ~2.5-second race window. Vertex AI then deserialises the poisoned model, executing the attacker's code inside Google's serving container and leaking OAuth tokens from the metadata server.
Affected systems
google-cloud-aiplatform (Vertex AI Python SDK) versions 1.139.0 – 1.140.0; fully patched in 1.144.0 and 1.148.0
Mitigation
Upgrade google-cloud-aiplatform to version 1.148.0 or later. Always explicitly set the staging_bucket parameter on model uploads rather than relying on auto-generated names. Advisory: https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
Sources
Unit 42 — Pickle in the Middle: Hijacking Vertex AI Model Uploads for Cross-Tenant RCEThe Hacker News — Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket SquattingCSO Online — Google's Vertex AI SDK could allow RCE through bucket squatting
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →