Unit 42 — Pickle in the Middle: Cross-Tenant RCE in Google Vertex AI
AI relevance: This vulnerability directly affected enterprises deploying custom ML models on Google Cloud's AI platform, allowing attackers to achieve code execution within Vertex AI serving infrastructure from an entirely separate GCP project.
- Palo Alto Networks Unit 42 disclosed a critical vulnerability in the Google Cloud Vertex AI SDK for Python affecting versions 1.139.0 and 1.140.0
- The flaw enabled "bucket squatting" attacks where an attacker could predict and preemptively create GCS buckets with deterministic names based on victim project IDs
- When victims uploaded models without specifying custom staging buckets, the SDK silently uploaded artifacts to attacker-controlled buckets
- Attackers could then replace legitimate models with malicious payloads containing pickle deserialization exploits
- Successful exploitation led to remote code execution within Google's Vertex AI serving infrastructure with zero initial access to the victim's project
- The attack exploited a missing ownership check in the SDK's staging logic combined with predictable default bucket naming patterns
- Google fixed the vulnerability in SDK version 1.148.0 released April 15, 2026 through their Vulnerability Rewards Program
- The vulnerability highlights risks in multi-tenant AI serving platforms where resource naming follows deterministic patterns
Why it matters
Vertex AI is a core ML platform for enterprises training and deploying production models. This vulnerability demonstrated that an attacker operating entirely from their own GCP project could hijack model uploads and poison artifacts before deployment. The "Pickle in the Middle" attack name references the man-in-the-middle positioning combined with Python's pickle deserialization module used for payload execution. Organizations using Vertex AI for custom model deployment faced potential data exfiltration, lateral movement, and full cloud environment compromise if they hadn't upgraded to patched SDK versions.
What to do
- Upgrade google-cloud-aiplatform SDK to version 1.148.0 or later immediately
- Audit existing Vertex AI deployments for signs of bucket squatting or unauthorized model artifact access
- Always specify custom staging buckets with explicit ownership controls rather than relying on SDK defaults
- Implement GCS bucket monitoring for unexpected access patterns or cross-project bucket creation
- Review Vertex AI model deployment logs for anomalies in artifact loading or serving container initialization
- Consider network isolation and service account restrictions to limit blast radius of compromised model serving infrastructure