thehackernews.com web signal

Google Vertex AI SDK flaw enabled ML model hijacking

google cybersecurity ai infrastructure ai-business

Key insights

  • The Vertex AI Python SDK auto-generated predictable bucket names as `project-vertex-staging-region`, requiring only a victim's public project ID to pre-register them.
  • Versions 1.139.0 and 1.140.0 were confirmed vulnerable; Google shipped full ownership verification in v1.148.0 on April 15, 2026.
  • Pickle and joblib models execute code on load, letting attackers run arbitrary payloads inside Google's serving container and steal OAuth tokens.

Why this matters

Default SDK behavior that auto-generates bucket names without ownership verification creates a supply-chain vulnerability exploitable with only a public project ID, requiring no elevated access or credentials. ML practitioners using default Vertex AI SDK configurations in notebooks, CI pipelines, and training jobs were silently exposed, with at least versions 1.139.0 and 1.140.0 confirmed vulnerable before Google's initial patch shipped March 31. The layered fix pattern, first randomizing names in v1.144.0 then adding explicit ownership verification in v1.148.0, sets a practical standard for how cloud SDKs staging sensitive artifacts should enforce authorization at every step.

Summary

A naming flaw in Google's Vertex AI Python SDK let attackers hijack ML model uploads using only a victim's public project ID. The SDK auto-generated bucket names as `project-vertex-staging-region`, checking existence but never ownership. Attackers pre-created the expected bucket and swapped in malicious models before Vertex AI loaded them. Pickle and joblib execute code on load, exposing OAuth tokens inside Google's serving container. Essentially: (Google Cloud, SDK users) a default naming pattern became a takeover surface. - Versions 1.139.0-1.140.0 confirmed vulnerable; reported March 5, 2026 via Google's Vulnerability Reward Program. - v1.144.0 (March 31) randomized names; v1.148.0 (April 15) added ownership verification. Organizations on older versions in notebooks or CI pipelines remain exposed.

Potential risks and opportunities

Risks

  • Organizations running Vertex AI SDK versions prior to v1.148.0 in automated notebooks, CI jobs, or training pipelines remain exposed to model swapping and arbitrary code execution inside Google's serving container.
  • OAuth tokens accessible inside Google's serving container could be harvested to pivot laterally into broader Google Cloud infrastructure if any exploitation occurred before patching.
  • Teams that have not audited SDK invocations across notebooks, CI jobs, and training pipelines, as Google specifically recommends, may leave unpatched staging endpoints running without knowing it.

Opportunities

  • ML security and software supply-chain vendors gain a concrete case study for pitching SDK-level artifact integrity scanning to Google Cloud enterprise customers evaluating their ML pipeline exposure.
  • Cloud security posture management tools can differentiate by shipping automated checks for predictable auto-provisioned bucket names and missing ownership verification across Google Cloud Platform tenants.
  • Google's Vulnerability Reward Program disclosure strengthens the business case for other cloud vendors to fund targeted SDK security audits, potentially expanding the bug-bounty surface across ML infrastructure components.

What we don't know yet

  • How many Google Cloud projects ran vulnerable SDK versions between the March 5 report date and the March 31 initial patch, and whether any exploitation occurred in the wild.
  • Whether Google has audited other SDK auto-provisioning patterns that follow similarly predictable naming conventions across its broader cloud product suite.
  • What data beyond OAuth tokens was accessible inside Google's serving container during a successful exploit, and whether Google has confirmed no active exploitation occurred.

Originally reported by thehackernews.com

Read the original article →

Original headline: Google Vertex AI SDK 'Pickle in the Middle': Unit 42 Discloses Bucket-Squatting Flaw That Let Attackers Hijack ML Model Uploads for Cross-Tenant RCE — Fully Patched in SDK v1.148.0