Artificial intelligence is rapidly becoming the backbone of modern digital transformation, powering everything from fraud detection and healthcare diagnostics to customer service automation and predictive analytics. But as organizations rush to deploy AI at scale, a newly disclosed vulnerability in Google Cloud’s Vertex AI ecosystem serves as a stark reminder that the AI supply chain is becoming an increasingly attractive target for cybercriminals.
Security researchers at Palo Alto Networks‘ Unit 42 recently disclosed a critical vulnerability affecting the Vertex AI Python SDK that, prior to remediation, could have allowed attackers to hijack machine learning model uploads, inject malicious payloads, and ultimately achieve remote code execution (RCE) inside a victim’s Vertex AI serving infrastructure.
What makes this discovery particularly concerning is that the attack required no prior access to the victim’s Google Cloud environment and relied instead on weaknesses in how the SDK handled cloud storage staging during model uploads.
According to research published by Unit 42, Google has since addressed the issue and released security fixes, but the findings highlight broader concerns surrounding AI infrastructure security and the emerging risks associated with machine learning development pipelines.
How the Vulnerability Worked
The vulnerability affected versions 1.139.0 and 1.140.0 of the Google Cloud Vertex AI SDK for Python.
When developers uploaded machine learning models without explicitly specifying a staging bucket, the SDK automatically generated a cloud storage bucket name using a predictable naming convention based on the project’s ID and geographic region.
Researchers discovered that the SDK only verified whether the bucket existed—not whether it belonged to the organization performing the upload.
This seemingly minor oversight created an opportunity for a technique known as “bucket squatting.”
An attacker who knew a target organization’s Google Cloud project ID could pre-create the expected bucket within their own cloud environment. When the victim later uploaded a model, the SDK would unknowingly transfer the model artifacts into the attacker-controlled bucket.
From there, attackers could quickly replace the legitimate model with a malicious version before Vertex AI processed and deployed it.
The researchers named the attack technique “Pickle in the Middle”, referencing Python’s pickle deserialization mechanism that was leveraged to transform model poisoning into remote code execution.
From Model Poisoning to Cloud Compromise
The attack chain uncovered by researchers demonstrates how weaknesses in AI development workflows can escalate into broader cloud security incidents.
Once a poisoned model was deployed, malicious code embedded within the serialized model could execute automatically during the loading process.
Researchers demonstrated that attackers could:
- Execute arbitrary code within Vertex AI serving environments
- Steal cloud authentication tokens
- Harvest sensitive environment information
- Enumerate cloud resources
- Access machine learning assets belonging to other deployments
- Conduct reconnaissance for further lateral movement
Particularly alarming was the ability to obtain service account credentials associated with Google’s managed infrastructure. Researchers reported that these credentials could potentially expose information about other workloads and cloud resources connected to the environment.
The findings reinforce a growing industry concern: machine learning models are no longer just business assets—they are executable components of modern software supply chains.
Why This Matters Beyond Google Cloud
While the vulnerability specifically impacted Vertex AI’s Python SDK, the underlying lessons extend far beyond a single platform.
Organizations worldwide are accelerating adoption of AI and machine learning technologies, often focusing heavily on model performance while overlooking the security of model development pipelines.
Modern AI environments depend on a complex ecosystem that includes:
- Cloud storage
- Model registries
- CI/CD pipelines
- Containerized deployment platforms
- Third-party frameworks
- Serialized model artifacts
Every component represents a potential attack surface.
The Unit 42 research illustrates how attackers increasingly target the intersection of cloud infrastructure and artificial intelligence, where seemingly benign configuration weaknesses can create opportunities for large-scale compromise.
For security leaders, this serves as another reminder that AI security must be treated as an extension of traditional application security, cloud security, and software supply chain protection.
Google’s Response
Following responsible disclosure through Google’s Vulnerability Reward Program (VRP), Google prioritized the issue and worked closely with researchers to develop remediation measures.
According to the disclosure timeline:
- March 5, 2026: Vulnerability reported to Google
- March 9, 2026: Google assigned top priority
- March 10, 2026: Vulnerability acknowledged and escalated
- March 31, 2026: Initial fix deployed
- April 15, 2026: Additional ownership validation protections released
The final remediation introduced two major security improvements:
- Randomized staging bucket naming using UUID generation
- Explicit bucket ownership verification before uploads occur
The fixes were fully implemented in Vertex AI SDK version 1.148.0 and later releases.
A Growing Wake-Up Call for AI Security
This incident highlights a broader shift occurring across the cybersecurity landscape.
Attackers are no longer focused solely on endpoints, applications, and traditional cloud workloads. They are increasingly targeting AI pipelines, machine learning assets, and the infrastructure used to train and deploy intelligent systems.
As organizations deploy generative AI, autonomous agents, and advanced machine learning models into production environments, the integrity of model supply chains becomes critical.
A compromised model can become an attack vector capable of bypassing traditional defenses, executing malicious code, stealing credentials, and enabling deeper intrusion into cloud environments.
The discovery also demonstrates how AI itself is beginning to play a role in vulnerability research. Researchers noted that large language models helped accelerate portions of the code analysis process, allowing them to identify cloud security weaknesses significantly faster than traditional manual approaches.
10 Recommended Actions for Security Teams
Organizations using Google Cloud, Vertex AI, or similar machine learning platforms should consider the following actions immediately:
1. Upgrade Immediately
Ensure all Vertex AI SDK deployments are running version 1.148.0 or later.
2. Define Explicit Staging Buckets
Avoid relying on automatically generated storage locations whenever possible.
3. Audit AI Pipelines
Review machine learning workflows for hidden trust assumptions and insecure defaults.
4. Secure Model Artifacts
Treat model files as sensitive assets requiring integrity verification and monitoring.
5. Restrict Bucket Permissions
Implement least-privilege access controls across cloud storage environments.
6. Monitor Model Registries
Track unauthorized changes to registered models and deployment artifacts.
7. Scan Serialized Objects
Inspect pickle, Joblib, and similar serialized files before deployment.
8. Strengthen Cloud Identity Controls
Review service account privileges and eliminate excessive permissions.
9. Implement AI Security Posture Management
Continuously assess AI environments for misconfigurations and exposure risks.
10. Expand Threat Hunting to AI Assets
Include machine learning infrastructure within detection and response programs.
For additional cloud and AI security guidance, organizations can explore resources from Saintynet Cybersecurity, particularly around cloud security, AI governance, cybersecurity awareness, and security training initiatives.
Industry Implications
The Vertex AI vulnerability is unlikely to be the last security issue discovered within AI development ecosystems.
As machine learning platforms become foundational business infrastructure, attackers will continue searching for weaknesses in model supply chains, training environments, deployment mechanisms, and cloud-native AI services.
The challenge for defenders is clear: securing AI requires more than protecting the model itself. It demands visibility and control across the entire lifecycle—from development and storage to deployment and runtime operations.
Organizations that fail to incorporate AI-specific security controls into their cybersecurity strategies may find themselves exposed to a new generation of attacks where the model becomes the malware.
Conclusion
The newly disclosed Vertex AI SDK vulnerability demonstrates how a seemingly simple design oversight can evolve into a critical cloud security risk. By combining predictable cloud storage naming conventions, bucket squatting techniques, and malicious model deserialization, attackers could potentially compromise AI workloads without ever breaching the victim’s environment directly.
Although Google has fully remediated the issue, the incident serves as an important warning for enterprises embracing artificial intelligence at scale. As AI systems become more deeply integrated into critical business operations, protecting the AI supply chain must become a core component of every organization’s cybersecurity strategy.
Research and technical findings referenced and adapted from security analysis published by the Unit 42 research team of Palo Alto Networks, which responsibly disclosed the vulnerability to Google and collaborated on remediation efforts.
