Google’s Vertex AI SDK could allow RCE through bucket squatting
Summary
Google's Vertex AI SDK for Python had a design flaw that could allow attackers to hijack and poison AI models through bucket squatting (creating cloud storage buckets with names matching those expected by other projects). An attacker who knew a victim's project ID and region could create a bucket with the same name, trick the SDK into uploading models there, replace the model with malicious code, and achieve RCE (remote code execution, where an attacker runs commands on a system they don't control) when the poisoned model was loaded using Python's pickle deserialization (a process that can execute hidden code in specially formatted data).
Solution / Mitigation
Google modified the affected workflow so that staging buckets are now validated before use, preventing attackers from registering bucket names that could be mistaken for resources belonging to other projects. The fixes were deployed in SDK versions 1.144.0 and 1.148.0, and users must upgrade to either of the patched versions.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4186193/googles-vertex-ai-sdk-could-allow-rce-through-bucket-squatting.html
First tracked: June 17, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%