Pickle in the Middle: Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
Palo Alto Networks' Unit 42 disclosed on June 16 a vulnerability in the Vertex AI Python SDK that allows remote code execution via bucket squatting.
At a glance
- Unit 42 discovered a Vertex AI Python SDK vulnerability enabling remote code execution via bucket squatting.
- The attack path involves hijacking Vertex AI model uploads and is described as cross-tenant RCE.
VERDICT — CONFIRMED
Palo Alto Networks' Unit 42 disclosed on June 16 a vulnerability in Google's Vertex AI Python SDK that allowed remote code execution via bucket squatting, hijacking model uploads to achieve cross-tenant RCE, per the firm's research post.
The SDK constructs staging bucket names deterministically as {project-id}-vertex-staging-{region}, and affected versions 1.139.0 and 1.140.0 of the google-cloud-aiplatform package checked only whether that bucket existed — not whether the victim's project owned it, per Unit 42. An attacker who pre-created the bucket could intercept uploads and swap in a poisoned model within a window of roughly 2.5 seconds; because models serialized with joblib/pickle are deserialized during deployment, a malicious pickle payload executes arbitrary code.
Exfiltrated tokens belonged to service accounts with cloud-platform scope, enabling model theft, BigQuery dataset enumeration and infrastructure reconnaissance, per the write-up.
Unit 42 reported the flaw to Google on March 5, 2026; a first fix adding UUID randomization shipped March 31 in v1.144.0, and bucket ownership verification followed April 15 in v1.148.0, per the post. No CVE identifier was cited. Unit 42 recommends upgrading to v1.148.0 or later and explicitly specifying the staging_bucket parameter. No in-the-wild exploitation was claimed in the material reviewed.
Key facts on file
- Unit 42 discovered a Vertex AI Python SDK vulnerability enabling remote code execution via bucket squatting.
- The attack path involves hijacking Vertex AI model uploads and is described as cross-tenant RCE.