Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE

Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE

June 16, 2026 discoverhiddenusacom Technology

A vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python allowed attackers to hijack model uploads and execute malicious code without prior access to a victim’s cloud environment. According to researchers at Palo Alto Networks Unit 42, the flaw, which they dubbed “Pickle in the Middle,” stemmed from predictable default bucket naming and a lack of ownership verification in the SDK’s staging logic. Google addressed the issue in version 1.148.0 of the SDK, released on April 15, 2026.

How the “Pickle in the Middle” attack works

The attack exploits the deterministic way the Vertex AI SDK names temporary storage buckets. When a developer does not specify a custom staging bucket, the SDK automatically creates one using the project ID and region. If an attacker predicts this name, they can “squat” on the bucket by creating it in their own project first. Because the SDK fails to verify if the bucket belongs to the victim, it silently proceeds to upload model artifacts to the attacker’s infrastructure. Once the artifacts land, the attacker uses a Cloud Function to replace the legitimate model with a malicious version containing a serialized Python object. This object executes arbitrary code when the victim eventually deploys the model, a technique leveraging the well-known insecurity of the pickle deserialization module.

Pro Tip: Always define an explicit staging_bucket parameter when using the Model.upload() method. Relying on default SDK naming conventions can expose your infrastructure to bucket squatting risks.

Why the window of opportunity is so narrow

Attackers must act in near-real-time to succeed. Unit 42 researchers found that the time elapsed between a victim uploading a model and Google’s internal service agent reading it is approximately 2.5 seconds. By using a Cloud Function triggered by the google.storage.object.finalize event, an attacker can detect the upload and swap the file in roughly 800 milliseconds. This automated race condition allows the malicious payload to replace the original file before the platform’s automated systems process the deployment.

Why the window of opportunity is so narrow

What are the long-term security implications?

Successful exploitation grants attackers more than just control over a single model. According to Unit 42, the exfiltrated OAuth tokens from the compromised service account carry “cloud-platform” scope, the highest level of permission within the managed tenant project. This access allows for cross-deployment model theft, reconnaissance of BigQuery datasets, and the ability to view internal infrastructure details like Kubernetes cluster names. This incident highlights a shift in threat modeling where security teams must now defend the entire AI supply chain, not just the final model.

Unit 42 insights on the Frontier AI landscape | Palo Alto Networks
Did you know? Machine learning models are often serialized using the pickle or joblib formats. These formats are inherently dangerous because they can execute arbitrary code upon deserialization—the exact process the “Pickle in the Middle” attack targets.

How to protect your AI deployments

The primary defense against this vulnerability is updating the google-cloud-aiplatform library. Google released patches in version 1.144.0 and a final, comprehensive fix in version 1.148.0. Beyond patching, organizations should implement strict Identity and Access Management (IAM) policies that limit who can create buckets and who can interact with staging environments. Security teams should also monitor for “bucket squatting” attempts by auditing the creation of storage resources that match the naming patterns used by their automated CI/CD pipelines.

Frequently Asked Questions

Is my project still at risk if I updated the SDK?

No, provided you are running version 1.148.0 or later. Google added both random UUIDs to bucket names and explicit ownership verification checks to prevent unauthorized bucket usage.

Frequently Asked Questions

What should I do if I suspect a compromise?

If you believe your Vertex AI environment was accessed, contact your cloud provider’s incident response team immediately. Palo Alto Networks Unit 42 also provides an incident response service for complex AI-specific threats.

Does this affect all cloud platforms?

No. This specific vulnerability was unique to the Vertex AI SDK for Python’s staging logic on Google Cloud. However, bucket squatting remains a general risk across all major cloud providers when resource naming is predictable.

Are you managing AI pipelines in the cloud? Ensure your dependencies are up to date and subscribe to our security newsletter for the latest alerts on supply chain vulnerabilities.