Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
Unit 42 discovered a vulnerability in the Google Cloud Vertex AI Python SDK that allows attackers to hijack model uploads and achieve remote code execution across tenants via bucket squatting.
Unit 42 researchers have disclosed a critical vulnerability in the Google Cloud Vertex AI Python SDK that enables remote code execution (RCE) across tenants by hijacking model uploads. Dubbed 'Pickle in the Middle,' the attack exploits a predictable default bucket name and a missing ownership check in the SDK's staging logic. An attacker operating from their own Google Cloud project can preemptively create a bucket with a name derived from the victim's project ID and region, a technique known as bucket squatting. When the victim uploads a model without specifying a custom staging bucket, the SDK silently uploads artifacts to the attacker-controlled bucket, allowing the attacker to replace the legitimate model with a malicious one.
The vulnerability affects google-cloud-aiplatform SDK versions 1.139.0 and 1.140.0, which were the latest at the time of testing. The attack chain begins when a Vertex AI user uploads a model to the Model Registry via the SDK. The SDK constructs a bucket name deterministically from the project ID and region, then checks if the bucket exists. If it does not, the SDK creates it. However, if the bucket already exists—because the attacker created it in their own project—the SDK uses it without verifying ownership. This allows the attacker to intercept the model artifacts.
Once the attacker controls the staging bucket, they can replace the victim's model with a malicious pickle file. Python's pickle deserialization is a well-known attack vector: an attacker can define a __reduce__ method that executes arbitrary code when the model is loaded. When the victim deploys the compromised model, Google's internal infrastructure loads it into a serving container, triggering the attacker's payload. This can lead to data exfiltration, lateral movement, and further compromise of the victim's cloud environment.
The impact is significant because Vertex AI is a widely used machine learning platform for training and deploying AI models. The vulnerability allows an attacker with zero initial access to a victim's project to achieve RCE within the victim's Vertex AI serving infrastructure. Unit 42 responsibly disclosed the vulnerability to Google, which accepted the findings and released a fix in version 1.148.0 on April 15, 2026.
Google Cloud's Vertex AI uses tenant projects—Google-owned projects that host resources for managed services—to bridge the boundary between Google's infrastructure and customer resources. The attack exploits this architecture by targeting the Per-Product, Per-Project Service Account (P4SA) that reads model artifacts from the staging bucket. By poisoning the model, the attacker can execute code within the tenant project, potentially accessing other customer resources.
Unit 42 recommends that all developers using the Vertex AI Python SDK upgrade to version 1.148.0 or later immediately. Organizations should also review their cloud storage bucket configurations to ensure that no unauthorized buckets exist with predictable names. The discovery highlights the growing risks associated with AI/ML pipelines, where supply chain attacks can have cascading effects across multi-tenant cloud environments.