Critical "Pickle in the Middle" Vulnerability in Google Cloud Vertex AI Exposed ML Models to RCE
Researchers from Palo Alto Networks’ Unit 42 uncovered a severe vulnerability in Google Cloud’s Vertex AI, dubbed "Pickle in the Middle," which enabled attackers to hijack machine learning (ML) model uploads, poison artifacts, and achieve cross-tenant remote code execution (RCE) without prior access to the victim’s environment.
The flaw, affecting the Python SDK (google-cloud-aiplatform), exploited a combination of predictable cloud resource naming, bucket squatting, and unsafe deserialization. Vertex AI’s Model Registry relies on Google Cloud Storage (GCS) buckets to stage artifacts before deployment, with the SDK generating default bucket names using a deterministic format based on project ID and region. Versions 1.139.0 and 1.140.0 failed to verify bucket ownership, allowing attackers to pre-create these buckets in their own projects a technique known as bucket squatting.
The attack unfolded in six phases:
- Prediction & Squatting: The attacker predicted the victim’s staging bucket name, created it in their own project, and configured permissive IAM roles.
- Malicious Function Deployment: A Cloud Function was set up to monitor uploads and replace legitimate model files with malicious payloads within a 2.5-second race-condition window.
- Victim Upload: The victim’s SDK, unaware of the hijacked bucket, uploaded model artifacts to the attacker-controlled storage.
- Payload Swap: The attacker’s function triggered immediately, replacing the model with a poisoned version before Vertex AI processed it.
- Model Deployment: The victim deployed the compromised model, which was treated as legitimate due to absent integrity checks.
- RCE Execution: During deserialization, the exploit leveraged Python’s
picklemechanism to execute arbitrary code, enabling OAuth token exfiltration from Google-managed service accounts. This granted access to sensitive resources, including other models, BigQuery metadata, and internal infrastructure.
The impact extended beyond a single deployment, demonstrating cross-deployment data access, model theft, and reconnaissance capabilities. The compromised service account’s broad cloud-platform scope undermined tenant isolation in Vertex AI’s managed environment.
Google addressed the issue in SDK versions 1.144.0 and 1.148.0, introducing randomized bucket naming (via UUIDs) and explicit ownership verification. The vulnerability was reported on March 5, 2026, with patches fully deployed by April 15, 2026. The incident highlights emerging security risks in AI/ML pipelines, where cloud misconfigurations intersect with model serialization to create potent attack vectors.
Source: https://gbhackers.com/google-cloud-vertex-ai-vulnerability/
Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud
"id": "GOO1781699328",
"linkid": "google-cloud",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'Google Cloud Vertex AI',
'size': 'Large',
'type': 'Cloud Service Provider'}],
'attack_vector': 'Cloud Storage Bucket Squatting, Unsafe Deserialization',
'data_breach': {'data_exfiltration': 'Yes (OAuth tokens, model artifacts)',
'file_types_exposed': ['Python pickle files',
'ML model artifacts'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['OAuth tokens',
'ML model artifacts',
'BigQuery metadata',
'Internal infrastructure data']},
'date_detected': '2026-03-05',
'date_resolved': '2026-04-15',
'description': 'Researchers from Palo Alto Networks’ Unit 42 uncovered a '
'severe vulnerability in Google Cloud’s Vertex AI, dubbed '
"'Pickle in the Middle,' which enabled attackers to hijack "
'machine learning (ML) model uploads, poison artifacts, and '
'achieve cross-tenant remote code execution (RCE) without '
'prior access to the victim’s environment. The flaw exploited '
'a combination of predictable cloud resource naming, bucket '
'squatting, and unsafe deserialization.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'AI/ML pipeline security flaws',
'data_compromised': 'OAuth tokens, model artifacts, BigQuery '
'metadata, internal infrastructure data',
'identity_theft_risk': 'OAuth token exfiltration enabling '
'unauthorized access to sensitive resources',
'operational_impact': 'Cross-tenant RCE, model theft, '
'reconnaissance capabilities, compromised '
'tenant isolation',
'systems_affected': 'Google Cloud Vertex AI, Python SDK '
'(google-cloud-aiplatform), Google Cloud '
'Storage (GCS) buckets'},
'initial_access_broker': {'backdoors_established': 'Malicious Cloud Function '
'for payload swapping',
'entry_point': 'Predictable bucket naming in Google '
'Cloud Vertex AI',
'high_value_targets': 'ML models, OAuth tokens, '
'BigQuery metadata'},
'investigation_status': 'Resolved',
'lessons_learned': 'Emerging security risks in AI/ML pipelines due to cloud '
'misconfigurations and model serialization '
'vulnerabilities. Importance of randomized resource naming '
'and explicit ownership verification in cloud services.',
'post_incident_analysis': {'corrective_actions': ['Randomized bucket naming '
'(UUIDs)',
'Explicit bucket ownership '
'verification',
'Patches in SDK versions '
'1.144.0 and 1.148.0'],
'root_causes': ['Predictable bucket naming',
'Lack of bucket ownership '
'verification',
'Unsafe Python pickle '
'deserialization',
'Absent integrity checks for ML '
'model artifacts']},
'recommendations': 'Update to patched SDK versions (1.144.0+), implement '
'integrity checks for ML model artifacts, monitor for '
'unauthorized bucket access, and enforce least-privilege '
'IAM roles.',
'references': [{'source': 'Palo Alto Networks’ Unit 42'}],
'response': {'containment_measures': 'Randomized bucket naming (UUIDs), '
'explicit bucket ownership verification',
'remediation_measures': 'Patches in SDK versions 1.144.0 and '
'1.148.0',
'third_party_assistance': 'Palo Alto Networks’ Unit 42'},
'title': "Critical 'Pickle in the Middle' Vulnerability in Google Cloud "
'Vertex AI Exposed ML Models to RCE',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Predictable bucket naming in Google Cloud Vertex '
'AI, lack of bucket ownership verification, unsafe '
'Python pickle deserialization'}