logo

Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE

ID: ef1ec797-9c37-5aea-8f40-4b802d684f4c

STIX ID: report--ef1ec797-9c37-5aea-8f40-4b802d684f4c

Feed Name: Palo Alto Networks Unit 42

Threat Score
75/100

Date Published: 2026-06-16

Date Updated: 2026-06-16

Author: Ori Hadad

...
...

Palo Alto Networks Unit 42 discovered and responsibly disclosed a high-impact vulnerability in the Google Cloud Vertex AI Python SDK that allowed an attacker to pre-create (squat) a predictable default staging GCS bucket, race to replace victim model artifacts with a malicious joblib/pickle payload, and achieve remote code execution and tenant service-account token exfiltration; Google released fixes (first in v1.144.0 and fully in v1.148.0) and users are advised to upgrade and/or set explicit staging buckets.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.