Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
Summary
Researchers discovered a vulnerability in Google Cloud's Vertex AI SDK for Python (versions 1.139.0 and 1.140.0) that allowed attackers to hijack model uploads through bucket squatting (exploiting predictable cloud storage bucket names to intercept files). By predicting the victim's bucket name based on their project ID, an attacker could create that bucket in their own account, intercept the model upload, inject malicious code, and achieve RCE (remote code execution, where attackers run commands on systems they don't own) when the victim deployed the poisoned model.
Solution / Mitigation
Google completed fixes to address this issue in v1.148.0, released April 15, 2026. Developers should upgrade to this fixed version of the SDK.
Classification
Affected Vendors
Related Issues
Original source: https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
First tracked: June 16, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%