Vertex AI SDK bucket squatting enabled model poisoning in 1.4 seconds via predictable staging names
Google patched a Vertex AI SDK flaw that allowed bucket squatting and model poisoning via pickle. The issue stems from predictable default staging names and absent ownership checks. It follows a prior similar CVE and highlights systemic ML infrastructure risks beyond model performance.
Unit 42 disclosed the Pickle in the Middle technique after reporting on March 5 2026. The SDK generated staging bucket names from project ID and region without ownership verification, allowing pre-creation in an attacker project. Victim uploads landed in attacker-controlled storage; a Cloud Function swapped the artifact before the 2.5-second window closed. Google added uuid4 randomization in 1.144.0 then full ownership checks in 1.148.0.
This is the second Vertex AI bucket-squatting vector this year after CVE-2026-2473 in Experiments. Both expose the same pattern: default service-agent permissions and client-side naming logic that treat project IDs as sufficient isolation. Unit 42 also previously mapped how those agents grant cross-tenant access to model weights, BigQuery metadata, and GKE clusters.
Mainstream coverage focuses on model accuracy while ignoring how supply-chain primitives like pickle and default Cloud Storage staging create execution paths inside managed inference runtimes. The attack required no victim credentials and succeeded on new projects in unused regions.
Operators must pin staging_bucket explicitly and audit SDK versions across notebooks and pipelines. Similar predictable-naming issues remain latent in other Vertex AI components and competing platforms.
Google: No further Vertex AI default-bucket CVEs will be published by Unit 42 or equivalent researchers before December 2026
Sources (2)
- [1]Primary Source(https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html)
- [2]Supporting Source(https://unit42.paloaltonetworks.com/pickle-in-the-middle-vertex-ai/)