Google Cloud Vertex AI SDK Vulnerability Allows Remote Code Execution via Bucket Hijacking

Researchers discovered a critical vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python that permitted remote code execution (RCE) within a victim's cloud environment. The flaw existed in versions 1.139.0 and 1.140.0, allowing attackers to hijack model uploads by exploiting predictable default bucket naming patterns. By engaging in bucket squatting, a malicious actor could intercept and replace legitimate AI models with compromised versions.

The vulnerability relied on the SDK's failure to verify ownership when creating or using staging buckets for model registration. Attackers exploited this deterministic naming convention to position their own buckets as targets for the victim's data. Because the platform utilizes Python's pickle module for object serialization—a format inherently capable of executing code upon deserialization—the attacker could successfully gain unauthorized control over the victim's serving infrastructure.

Google addressed the security loophole with the release of SDK version 1.148.0 on April 15, 2026. Security professionals strongly advise all enterprise developers utilizing Vertex AI pipelines to immediately update their SDK libraries to current, patched versions. Failure to do so exposes organizations to significant risks, including unauthorized data exfiltration, lateral movement within cloud networks, and the potential compromise of high-value machine learning assets.