The Point: Attackers could pre-register cloud storage buckets based on predictable naming schemes derived from project ID and region to replace uploaded models with malware before Vertex AI loaded them.
A design flaw in the Vertex AI SDK for Python (versions 1.139.0 and 1.140.0) could be exploited to replace foreign AI models and execute arbitrary code. Attackers could preemptively seize staging buckets through bucket-squatting using predictable naming.
Unit 42 researchers identified Vertex AI SDK for Python versions 1.139.0 and 1.140.0 as vulnerable. The critical component: the SDK derived staging bucket names exclusively from the customer’s project ID and region. If a bucket with this name already existed, the SDK checked for its existence but did not verify ownership. Since bucket names must be globally unique, an attacker could reserve an identical name in their own project and wait for the victim to use it.
Once the SDK uploaded a model artifact to the squatted bucket, the attacker could replace it in a brief window before retrieval by Vertex AI’s service agent. The resulting RCE arose from Python pickle deserialization: ML models are frequently serialized in pickle or joblib format. Pickle executes arbitrary code during deserialization — specially crafted objects enable remote access to the Vertex infrastructure system. Unit 42 called this attack class “Pickle in the Middle” (an allusion to man-in-the-middle).
Google has remedied the vulnerability. Fixes were rolled out in SDK versions 1.144.0 and 1.148.0. Staging buckets are now validated before use to prevent attackers from registering bucket names for resources in other projects. Users must update to one of these patched versions.
During analysis, Unit 42 employed a large language model to discover security vulnerabilities more quickly. According to the researchers, analyses that previously took days were significantly shortened. Through iterative refinement of model focusing and searches for specific patterns, they identified access paths to cloud resources endangered by user-controlled or project-derived inputs.
Source: www.csoonline.com · Published June 17, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.