Security researchers have disclosed a serious vulnerability in Google’s Vertex AI SDK for Python that could have allowed attackers to hijack machine learning model uploads and execute malicious code within Google’s AI serving infrastructure.
The flaw, discovered by Palo Alto Networks’ Unit 42 research team, was dubbed “Pickle in the Middle.” While no evidence of real-world exploitation has been found, the vulnerability exposed a significant supply chain risk for organizations deploying machine learning models on Google Cloud.
Google has since addressed the issue, and users are strongly advised to upgrade to Vertex AI SDK version 1.148.0 or later.
How the Attack Worked
What makes this vulnerability particularly concerning is that attackers did not require access to a victim’s Google Cloud environment.
To launch the attack, a threat actor only needed:
- Their own Google Cloud project
- The victim’s Google Cloud project ID
Since project IDs are often publicly visible, attackers could potentially identify targets without obtaining credentials, compromising accounts, or deploying phishing campaigns.
The vulnerability originated from the way the Vertex AI SDK automatically selected temporary Cloud Storage buckets during model uploads.
When developers failed to specify a custom storage bucket, the SDK generated a predictable bucket name using the project’s ID and region, such as:
project-vertex-staging-region
The SDK checked whether the bucket existed but failed to verify ownership.
Because Google Cloud Storage bucket names are globally unique, attackers could pre-register the expected bucket name within their own Google Cloud project before the victim created it.
As a result, the victim’s model files would be uploaded directly into infrastructure controlled by the attacker.
Model Swapping Leads to Remote Code Execution
After intercepting the upload, attackers could replace the legitimate machine learning model with a malicious version.
This attack was especially effective because many Python machine learning models are stored using serialization formats such as:
- Pickle
- Joblib
These formats can execute arbitrary code when loaded.
When Vertex AI later loaded the compromised model for deployment, the malicious code would execute inside Google’s managed AI serving environment.
Researchers demonstrated the attack in a proof-of-concept scenario by leveraging a Cloud Function that automatically monitored uploads and replaced the model before Vertex AI processed it.
Race Against Time
The attack relied on a narrow execution window.
According to Unit 42 researchers:
- Average time between upload and model loading: approximately 2.5 seconds
- Malicious model replacement time: approximately 1.4 seconds
This provided attackers enough time to swap the uploaded model before Vertex AI accessed it.
Potential Impact
Once code execution was achieved, researchers successfully extracted OAuth access tokens from the serving container’s metadata service.
The stolen tokens enabled access to additional cloud resources within the same Google-managed tenant environment.
Potentially exposed assets included:
- Machine learning models and trained weights
- BigQuery metadata
- Access control information
- Tenant logs
- Kubernetes cluster names
- Internal container image paths
The findings highlight how a single cloud misconfiguration can potentially expose sensitive AI infrastructure and proprietary machine learning assets.
Conditions Required for Exploitation
Fortunately, exploitation required several specific conditions to be met.
The attack only worked when:
- The victim had not already created a default Vertex AI staging bucket in the target region.
- The developer relied on the SDK’s default bucket generation process.
- The
staging_bucketparameter remained unset during model uploads.
These circumstances are particularly common in newly created Vertex AI projects where developers use default configurations.
Google’s Response and Fix Timeline
Unit 42 reported the vulnerability through Google’s Vulnerability Reward Program on March 5, 2026.
Researchers confirmed that SDK versions 1.139.0 and 1.140.0 were vulnerable.
Google responded with a two-stage remediation process:
Version 1.144.0 (March 31, 2026)
The company introduced randomized bucket names by adding a UUID value to generated bucket identifiers, reducing predictability.
Version 1.148.0 (April 15, 2026)
Google completed the fix by implementing ownership verification checks within the Model.upload() process, preventing attackers from exploiting bucket-squatting techniques.
At the time of disclosure, no CVE identifier had been assigned to the vulnerability.
Security Recommendations
Organizations using Vertex AI should immediately review their deployments and apply the latest SDK updates.
Recommended actions include:
Upgrade the SDK
Update all environments to:
Vertex AI SDK v1.148.0 or later
This ensures ownership validation is performed during model uploads.
Define Custom Staging Buckets
Instead of relying on automatic bucket generation, explicitly configure a Cloud Storage bucket that your organization owns and manages.
Audit All AI Development Environments
The vulnerable logic resides in the client SDK rather than server-side infrastructure.
Administrators should verify SDK versions across:
- Development notebooks
- CI/CD pipelines
- Training environments
- Production workloads
- Data science workstations
Not the First Vertex AI Bucket-Squatting Issue
This vulnerability represents the second bucket-name prediction flaw affecting Vertex AI in 2026.
Earlier this year, Google addressed CVE-2026-2473, a separate bucket-squatting vulnerability impacting Vertex AI Experiments.
That flaw similarly enabled:
- Cross-tenant code execution
- Model theft
- Model poisoning attacks
Security researchers have also previously identified concerns surrounding Vertex AI service-agent permissions, demonstrating how compromised AI workloads can potentially access both customer and tenant-level resources.
Final Thoughts
The “Pickle in the Middle” vulnerability highlights the growing security challenges facing cloud-based AI platforms.
As organizations increasingly deploy machine learning models in managed environments, seemingly minor configuration issues—such as predictable resource naming—can create opportunities for sophisticated cross-tenant attacks.
While Google has successfully patched the issue, the incident serves as a reminder that AI infrastructure security extends beyond model performance and data protection. Proper configuration management, secure storage practices, and regular dependency updates remain critical components of any cloud AI security strategy.
