Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE

2026-06-16 · Source: Unit 42 · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Advanced, long

Summary

A critical "Pickle in the Middle" vulnerability was discovered in Google Cloud's Vertex AI SDK for Python, impacting versions 1.139.0 and 1.140.0. This flaw allowed cross-tenant Remote Code Execution (RCE) without requiring initial access to a victim's project. The attack exploited predictable default Google Cloud Storage (GCS) bucket names and a missing ownership check during model uploads. An attacker could "bucket squat" by preemptively creating a bucket with the victim's default name. When a victim uploaded a model via the SDK without specifying a custom staging bucket, their artifacts were silently staged in the attacker's bucket. Within a 2.5-second window, the attacker replaced the legitimate model with a malicious `pickle` payload. Upon deployment, this payload executed arbitrary code, enabling data exfiltration, lateral movement, and compromise of the victim's cloud environment. Google fixed the issue in SDK versions 1.144.0 (March 31, 2026) and 1.148.0 (April 15, 2026) by adding random UUIDs to bucket names and implementing explicit ownership verification.

Key takeaway

For MLOps Engineers or AI Security Engineers deploying models on Google Cloud Vertex AI, you must immediately upgrade your `google-cloud-aiplatform` SDK to version 1.148.0 or newer. Failure to update leaves your model uploads vulnerable to cross-tenant Remote Code Execution via bucket squatting and `pickle` deserialization. Additionally, always explicitly specify a custom `staging_bucket` parameter during `Model.upload()` to ensure full asset isolation and prevent unintended staging in attacker-controlled storage. This mitigates the risk of model poisoning and credential theft.

Key insights

The Vertex AI SDK's predictable default bucket naming and lack of ownership checks enabled cross-tenant RCE via model poisoning.

Principles

• Cloud storage bucket names must be globally unique and unpredictable.
• Always verify ownership of cloud resources before interaction.
• Deserialization of untrusted data is a critical RCE vector.

Method

Attacker bucket-squats a predictable GCS bucket, grants public write access. Victim uploads model to squatted bucket. Attacker replaces model with `pickle` RCE payload via Cloud Function. Victim deploys poisoned model.

In practice

• Upgrade `google-cloud-aiplatform` SDK to v1.148.0 or later.
• Explicitly define `staging_bucket` for Vertex AI model uploads.
• Implement real-time monitoring for unexpected GCS bucket activity.

Topics

• Vertex AI
• Remote Code Execution
• Bucket Squatting
• Pickle Deserialization
• Google Cloud Security
• Python SDK Vulnerability

Code references

• googleapis/python-aiplatform

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, AI Engineer

Related on AIssential

• Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering — AI supply chain security gaps in release pipelines pose a greater threat than model-specific vulnerabilities.
• Claude Code can destroy your database — AI-driven cloud code risks dangerous, unintended actions like database deletion because current security tools lack contextual understanding.
• Google and OpenAI complain about distillation attacks that clone their AI models on the cheap — AI model distillation poses a significant intellectual property theft risk, enabling cheap cloning by extracting reasoning steps.
• 📅 ThursdAI - Claude Code leak w Sigrid, Veo 3.1 Lite & more AI news — AI advancements are rapidly pushing model efficiency, accessibility, and even emotional understanding, alongside significant industry funding and open-source contributions.
• Google Cloud responds to AI-accelerated cyberattacks with a platform that aims to close security gaps in minutes — AI-powered cyberattacks demand automated defense platforms that deliver direct, verified security fixes, not just alerts.
• Malicious Hugging Face Models Could Trigger Remote Code Execution — Malicious AI model configurations can exploit library processing mechanisms to achieve remote code execution, even bypassing explicit security flags.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Unit 42.