PERMISSION/PROTOCOL
Back to incident tracker

2026-04-01

CriticalPrimary

Google Vertex AI Pickle in the Middle: Predictable GCS Bucket Names from Project ID + Region Enabled Pre-Squatting, Cross-Tenant RCE Inside Google Serving Infrastructure

Google Vertex AI SDK generated predictable GCS bucket names from project ID + region. Attacker pre-creates predicted bucket; victim's SDK uploads model files there; attacker swaps in malicious pickle — RCE inside Google serving infra, cross-tenant. Disclosed Jun 16, 2026 (patched Apr in v1.148.0). Unit 42 / Palo Alto Networks bug bounty.

Google Vertex AITool execution / MCPBucket squatting + malicious pickle injection: cross-tenant RCE in AI serving infrastructureGoogle Vertex AI serving infrastructure / cross-tenant

What happened

Unit 42 demonstrated the attack chain: calculate target's predictable GCS bucket name, pre-create it, wait for victim to upload model files, replace with malicious pickle. When Vertex AI loaded the poisoned model, the pickle was deserialized on Google's serving infrastructure.

Why it matters

RCE inside Google's Vertex AI serving infrastructure. Cross-tenant risk: a compromised serving process could potentially access or affect other tenants' workloads. Attack affected any Vertex AI user whose project ID and region could be known or enumerated.

Missing authorization check

AI model serving pipelines must verify the cryptographic integrity of model files before loading. Bucket names must not be predictable from public or enumerable project attributes. Model file ownership must be verified before serving.

Would PP block it?

A PP receipt for model deployment could include a cryptographic hash of the expected model files, providing integrity verification that would detect the pickle swap. The underlying bucket name predictability requires a code fix in the SDK.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-04-01

    Google releases Vertex AI SDK v1.148.0 patching the predictable GCS bucket name vulnerability. Unit 42 / Palo Alto Networks credited with bug bounty discovery.

  2. 2026-06-16

    Unit 42 publicly discloses the Pickle in the Middle attack: predictable bucket name squatting enables malicious pickle injection and cross-tenant RCE inside Google Vertex AI serving infrastructure.

Technical breakdown

  • The Vertex AI SDK generated GCS bucket names using a deterministic formula based on project ID and region — both enumerable or knowable by attackers.
  • An attacker could pre-create the predicted bucket before the victim's SDK first referenced it.
  • When the victim ran the SDK, it uploaded model files to the attacker's pre-created bucket without detecting the ownership mismatch.
  • The attacker swapped the legitimate model files for a malicious Python pickle. When Vertex AI loaded the model for serving, pickle deserialization executed the payload.
  • Pickle deserialization inside Google's serving infrastructure could achieve cross-tenant access to other users' serving workloads.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Deploy Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Model deployment authorization, file integrity verification
Still needs
Predictable bucket naming; missing model file integrity verification before serving
Receipt required for
Model file uploads, model deployment to serving infrastructure

PP's Deploy Gate would require a receipt before model deployment operations. It would not prevent the bucket squatting or pickle injection — those require fixes in how bucket names are generated and how model integrity is verified.

Start small

Put the relevant gate at this action boundary.

This incident maps to Deploy Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Install on one repo