Bottom line: The Vertex AI SDK generated predictable names for temporary Cloud Storage buckets; attackers could reserve these names and redirect model uploads, enabling code execution via manipulated pickle files.
Security researchers from Palo Alto Networks Unit 42 have disclosed a critical vulnerability in Google Cloud’s Vertex AI SDK for Python that allowed attackers to hijack model uploads and execute arbitrary code in Google infrastructure—without direct access to the victim’s project.
The vulnerability, named “Pickle in the Middle” by the researchers, lay in the automatic creation of temporary Cloud Storage buckets. When users did not specify an explicit bucket, the SDK calculated a bucket name based on project ID and region. Since bucket names must be globally unique, an attacker could preemptively reserve this predictable name in their own project, forcing the victim’s SDK to upload the model to the attacker-controlled resource.
After a successful upload, the attacker could replace the model with a manipulated file. Because Python models are often stored in Pickle or Joblib format, which automatically execute code during loading, it was possible to run arbitrary commands within the Vertex AI serving container. Unit 42 demonstrated exfiltration of OAuth tokens, access to BigQuery metadata, and compromise of model artifacts in testing.
Google patched the vulnerability in two stages. Version 1.144.0 of the google-cloud-aiplatform SDK integrated a random UUID4 value into the bucket name to eliminate predictability. Version 1.148.0 added a bucket ownership check to prevent bucket squatting during model uploads.
CISOs should update the SDK to version 1.148.0 or higher immediately. It is also recommended to manually specify the staging_bucket parameter when uploading models and to inventory the SDK version across all environments—including notebooks, CI/CD jobs, and training pipelines.
Source: www.it-daily.net · Published 19 June 2026
Lumi AI News — AI-assisted curation per Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.