Google has fixed a security flaw in its Vertex AI cloud platform that lets attackers hijack a victim’s machine learning model uploads and run malicious code inside Google’s own infrastructure, without ever touching the victim’s account.
What the Flaw Allowed
The vulnerability lived inside the Vertex AI SDK for Python, the tool many developers use to build and upload machine learning models to Google Cloud. Palo Alto Networks’ Unit 42 named the technique “Pickle in the Middle.”
An attacker needed only two things to pull it off, a Google Cloud project of their own and the victim’s project ID, a detail that is often public. No password, no phishing email, and no prior foothold inside the victim’s systems were required.
How Attackers Could Hijack a Model
The trouble started with how the SDK picked a storage location for uploaded models. If a developer did not manually set a staging bucket, the SDK created one automatically using a predictable formula built from the project ID and region. That predictability is what made the attack possible.
An attacker who knew a victim’s project ID could create that exact bucket first, inside their own Google Cloud project, a move researchers call “bucket squatting.” They would loosen the bucket’s permissions so any authenticated Google Cloud identity could read and write to it. When the victim later uploaded a model without specifying their own bucket, the SDK quietly sent the model into the attacker’s bucket instead.
From there, the attacker had a narrow window, reported at around two and a half seconds, to swap the legitimate model for one carrying a malicious payload. Once the victim deployed what they believed was their own model, the attacker’s code would run inside Google’s serving infrastructure, opening the door to data theft, stolen credentials, and further compromise.
The Conditions Behind the Bug
The attack only worked under specific conditions, as the victim’s default staging bucket had to not already exist in that region, which is common for newer Vertex AI projects. The developer also had to be relying on the SDK’s default rather than naming their own. Unit 42 tested versions 1.139.0 and 1.140.0 of the SDK and found both vulnerable.
How Google Closed the Gap
Unit 42 reported the issue through Google’s Vulnerability Reward Program on March 5, 2026. Google responded with two fixes.
The first, shipped in version 1.144.0 on March 31, added a random identifier to bucket names to make them harder to predict. The second, version 1.148.0 released April 15, added a check that verifies bucket ownership before the SDK uses it, closing off bucket squatting entirely. Neither Unit 42 nor Google has reported any sign the flaw was exploited before it was patched.
What Developers Should Do
Google and Unit 42 are urging anyone using the Vertex AI Python SDK to update to version 1.148.0 or later so the new ownership checks take effect. Developers should also set an explicit staging bucket of their own rather than letting the SDK choose one automatically, and watch model integrity through upload and deployment.
This is not the first bucket related gap Google has had to close in Vertex AI. In February, the company patched a separate flaw, tracked as CVE-2026-2473, that also allowed cross tenant code execution through bucket squatting in Vertex AI Experiments.
As machine learning pipelines move into the cloud, attackers are searching for soft spots in the plumbing around the models rather than the models themselves.
