Researchers at Palo Alto Networks Unit 42 have disclosed a vulnerability in the Google Cloud Vertex AI SDK for Python (google-cloud-aiplatform) that, before patching, would have allowed an attacker operating entirely from their own Google Cloud project to intercept a victim’s machine-learning model upload and plant malicious code inside it. Google fixed the issue in SDK version 1.148.0, released April 15, 2026.

Root Cause: Predictable Bucket Names

When a Vertex AI user uploads a model to the Model Registry without specifying a custom staging bucket, the SDK automatically constructs a Google Cloud Storage (GCS) bucket name using a deterministic pattern derived from the victim’s project ID and region. Because GCS bucket names are globally unique across all of Google Cloud, an attacker who knows the target project ID can pre-register that bucket name inside their own project. This technique is known as bucket squatting. The SDK contained no ownership verification step, so it silently directed the victim’s model artifacts to the attacker-controlled bucket instead of flagging the conflict.

The Attack Chain

  • The attacker predicts the victim’s default staging bucket name using the public project ID and target region.
  • The attacker creates that bucket in their own project before the victim triggers an upload.
  • The victim’s SDK stages model artifacts into the attacker’s bucket without any warning.
  • Within a narrow window, the attacker replaces the legitimate model artifacts with a poisoned version containing a malicious pickle payload.
  • When the victim deploys the model, Vertex AI’s internal service agent (a Per-Product, Per-Project Service Account, or P4SA) loads the artifacts into the serving container, triggering deserialization and executing the attacker’s code.

Why Pickle Makes This Dangerous

Machine-learning models in the Python ecosystem are commonly serialized with pickle or its Joblib wrapper. The pickle protocol supports a __reduce__ method that executes arbitrary Python code at deserialization time, before any validation occurs. An attacker who controls a pickle file can therefore embed a __reduce__ definition that runs any command the moment joblib.load() or pickle.load() is called. Unit 42 named the technique Pickle in the Middle, referencing both the deserialization mechanism and its position in the upload pipeline.

Potential Impact

Successful exploitation could give an attacker remote code execution inside the victim’s Vertex AI serving infrastructure with zero prior access to that environment. From that foothold, the researchers note that data exfiltration, lateral movement, and broader compromise of the victim’s cloud environment are plausible follow-on actions.

Affected Versions and Remediation

The vulnerability affected google-cloud-aiplatform SDK versions 1.139.0 and 1.140.0. Google accepted the report from Unit 42 and addressed the issue in v1.148.0. Developers using the Vertex AI Python SDK should upgrade to version 1.148.0 or later immediately. As a defensive practice, teams should also specify a custom, explicitly owned staging bucket when calling model upload APIs, rather than relying on SDK-generated defaults.