← All articles

Google Vertex AI SDK flaw let attackers hijack model uploads across tenants

Palo Alto's Unit 42 disclosed a flaw, nicknamed Pickle in the Middle, in Google Cloud's Vertex AI SDK for Python that let an attacker with no access to a victim's project hijack their machine-learning model uploads and run code across tenant boundaries. When a model was uploaded without a custom staging bucket, the SDK generated a predictable storage bucket name from the project ID and region and failed to verify ownership, so an attacker could pre-create that bucket, receive the victim's model, and swap in a malicious one that executes on deployment. Google fully fixed it in SDK version 1.148.0 in April; Unit 42 saw no exploitation in the wild.

Check
Check the google-cloud-aiplatform SDK version everywhere it runs, including notebooks, CI jobs, and training pipelines, and confirm whether model uploads relied on default, auto-generated staging buckets.
Affected
Google Cloud Vertex AI users on google-cloud-aiplatform SDK versions before 1.148.0 who uploaded models without specifying their own staging bucket; no CVE was assigned and no exploitation was observed.
Fix
Update the Vertex AI SDK to 1.148.0 or later so bucket-ownership checks are active, and always set an explicit staging bucket pointing to Cloud Storage you control when uploading models.