Google patched a critical flaw in its Vertex AI SDK that let attackers hijack machine learning model uploads and run code inside Google's serving infrastructure by creating a bucket with a predictable name.

What happened: A flaw in the Google Cloud Vertex AI SDK for Python allowed an attacker with only a Google Cloud project and the victim's project ID to intercept model uploads. The SDK generated a predictable temporary bucket name; if an attacker created that bucket first in their own project, the victim's upload would go to the attacker's bucket instead. The attacker could then swap in a malicious model that executed code when Vertex AI loaded it. Google shipped the fix in version 1.148.0 on April 15, adding bucket ownership verification.

Why it matters: The attack required no stolen credentials, phishing, or initial foothold—only publicly available information. Once code ran inside the serving container, it could steal OAuth tokens with broad access to other models, TensorFlow artifacts, BigQuery metadata, and internal infrastructure details in the same Google-managed tenant. This is the second bucket-squatting flaw in Vertex AI this year, suggesting a pattern in how the service handles default storage.

What to watch: Update to SDK version 1.148.0 or later immediately. Also set an explicit staging_bucket parameter to a Cloud Storage location you control when uploading models, and check the google-cloud-aiplatform version wherever it runs—notebooks, CI jobs, training pipelines, and production services alike.