Google has addressed a significant security vulnerability in the Vertex AI SDK for Python that could have enabled attackers to hijack machine learning model uploads and execute malicious code within Google’s cloud infrastructure. The flaw, discovered by researchers at Palo Alto Networks Unit 42 and reported through Google’s Vulnerability Reward Program, has been named “Pickle in the Middle.” According to researchers, the issue did not require attackers to gain access to a victim’s Google Cloud environment, credentials, or systems. Instead, the attack could be carried out using only a publicly known Google Cloud project identifier and an attacker controlled Google Cloud project. Google stated that there is no evidence indicating the vulnerability was exploited in real world attacks and has since released security updates to address the issue. Users are advised to update to version 1.148.0 or later of the Vertex AI SDK for Python to ensure protection against the vulnerability.
The security weakness originated from the way the SDK automatically selected temporary Cloud Storage buckets during machine learning model uploads. When developers did not explicitly specify a staging bucket, the SDK generated a predictable bucket name using a combination of the project identifier and deployment region. While the software checked whether the bucket already existed, it did not verify ownership of the bucket before using it. Because Google Cloud Storage bucket names are globally unique, an attacker could create the expected bucket name in advance within their own project. As a result, when the victim uploaded a machine learning model, the files would be directed to the attacker controlled bucket rather than a legitimate destination. Researchers explained that the attacker could then replace the uploaded model with a malicious version before the system processed it. Many machine learning models developed in Python are stored using formats such as pickle or joblib, both of which can execute embedded code when loaded. This characteristic enabled attackers to potentially run malicious code inside Vertex AI serving environments when the altered model was later deployed.
Unit 42 researchers demonstrated that the attack relied on a narrow timing window between the upload process and the moment Vertex AI retrieved the model. During testing, researchers observed an average delay of approximately 2.5 seconds between these events. To exploit the flaw successfully, attackers used automated cloud functions capable of replacing uploaded files within approximately 1.4 seconds. Once executed, the malicious payload extracted OAuth authentication tokens from the serving container’s metadata service and transmitted them to attacker controlled infrastructure. Researchers found that the stolen tokens were not limited to a single deployment and could potentially provide access to other resources hosted within the same Google managed tenant environment. In the proof of concept environment, the tokens enabled access to machine learning models, trained TensorFlow model weights, BigQuery metadata, access control information, tenant logs, Kubernetes cluster names, and internal container image paths. These findings highlighted the potential impact of the flaw on cloud hosted artificial intelligence environments where sensitive intellectual property and operational data may reside.
The attack was only possible under specific conditions. Researchers noted that the targeted project needed to lack an existing default staging bucket in the selected region and developers had to rely on the SDK’s default bucket selection mechanism instead of specifying their own storage location. Unit 42 reported the issue to Google on March 5, 2026, after confirming that versions 1.139.0 and 1.140.0 were vulnerable. Google introduced an initial mitigation in version 1.144.0 on March 31 by adding random identifiers to bucket names. A more comprehensive fix was released in version 1.148.0 on April 15, incorporating bucket ownership verification to prevent bucket squatting attacks within the Model.upload() process. Researchers also noted that this represents the second bucket squatting related vulnerability identified in Vertex AI during 2026. Earlier this year, Google addressed CVE-2026-2473, a separate issue affecting Vertex AI Experiments that similarly created opportunities for cross tenant code execution, model theft, and model manipulation. Security experts recommend that organisations update all environments using the Vertex AI SDK, including notebooks, training pipelines, and continuous integration systems, while also configuring explicitly controlled staging buckets to reduce exposure to similar risks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
