Google Vertex AI SDK Bug Let Attackers Hijack AI Model Uploads

A critical vulnerability in Google Cloud's Vertex AI SDK for Python allowed attackers to hijack machine learning model uploads and execute arbitrary code inside Google's serving infrastructure, Palo Alto Networks Unit 42 disclosed on June 16, 2026. The flaw, reported through Google's bug bounty program, required no credentials, phishing, or prior access to the target environment—only the victim's Google Cloud project ID, which is frequently exposed in code repos, documentation, and dashboards. Researchers labeled the technique "Pickle in the Middle" and found no evidence of in-the-wild exploitation.

The attack exploited how the SDK generated temporary Cloud Storage bucket names. When developers left the staging_bucket parameter unset, the SDK derived a predictable name from the project ID and region (e.g., project-vertex-staging-region) and checked only whether the bucket existed—not whether the victim actually owned it. Because bucket names are globally unique across Google Cloud, an attacker could claim the expected bucket in their own project first. The victim's SDK would then upload model files directly into attacker-controlled storage, where a Cloud Function could swap the legitimate model for a malicious pickle or joblib payload in roughly 1.4 seconds—well within the 2.5-second window before Vertex AI loaded the file. The serialized payload executed code inside the serving container and exfiltrated an OAuth token from the metadata server.

That token granted access far beyond the compromised deployment. In Unit 42's test environment, the stolen credential reached other artifacts in Google's managed tenant project, including a full TensorFlow model with trained weights, BigQuery metadata, access lists, tenant logs, GKE cluster names, and internal container image paths. The attack only succeeded when the default staging bucket did not already exist in-region and when developers relied on SDK defaults rather than specifying their own buckets—a common pattern in new Vertex AI projects. Unit 42 confirmed versions 1.139.0 and 1.140.0 as vulnerable; Google shipped an initial fix in v1.144.0 on March 31 by appending a random uuid4 to bucket names, then completed the patch in v1.148.0 on April 15 with explicit bucket ownership verification in Model.upload().

Organizations running Vertex AI workloads should immediately upgrade to SDK version 1.148.0 or later and audit any pre-existing staging buckets. Security teams can verify ownership and exposure of cloud-linked assets with a WHOIS lookup, inspect TLS configurations on custom storage endpoints using an SSL/TLS checker, and run a broader privacy checkup to identify misconfigured cloud resources that could be squat in similar supply-chain attacks against AI infrastructure.