A critical security flaw has been discovered in the **Google Cloud Vertex AI SDK for Python**, enabling an attacker to hijack a victim's machine learning model upload and run malicious code within **Google's** serving infrastructure. The vulnerability, identified and reported by **Palo Alto Networks Unit 42** through **Google's** bug bounty program, has been dubbed "Pickle in the Middle." ### The Attack Vector: Predictable Bucket Names The attack capitalized on a predictable naming convention for temporary **Cloud Storage** buckets used during model uploads. If a user did not explicitly define a `staging_bucket` parameter, the SDK would generate a bucket name based on the project ID and region (e.g., *project-vertex-staging-region*). Crucially, the SDK checked for the bucket's existence but failed to verify ownership. This oversight allowed an attacker, knowing only the victim's often-public project ID, to pre-create the expected bucket in their own **Google Cloud** project. Consequently, the victim's SDK would upload their model files directly to the attacker's controlled bucket.  ### Exploiting Model Serialization Many Python ML models are serialized using `pickle` or `joblib`, which can execute code upon file loading. After the victim's legitimate model was uploaded to the attacker's bucket, the attacker could swiftly replace it with a malicious version. When **Vertex AI** subsequently loaded this swapped model, the attacker's code would execute within the serving container. **Unit 42**'s proof-of-concept demonstrated this by using a **Cloud Function** to replace the model within 1.4 seconds of upload, beating the 2.5-second window before **Vertex AI** read the file. The payload then stole an **OAuth** token from the serving container's metadata server, sending it to the attacker. In their test environment, this token granted broad access to other model artifacts, **BigQuery** metadata, access lists, tenant logs, and internal container image paths within the same **Google**-managed tenant project.  ### Conditions for Attack The attack was contingent on two conditions: 1. The victim's default staging bucket did not already exist in the target region (common for new projects). 2. The developer relied on the SDK's default behavior, leaving the `staging_bucket` parameter unset. **Unit 42** reported the flaw on March 5, 2026, testing versions 1.139.0 and 1.140.0, both found vulnerable. ### The Fix and Remediation **Google** released an initial fix in **v1.144.0** on March 31, adding a random `uuid4` to the bucket name. The complete remediation arrived in **v1.148.0** on April 15, which introduced bucket ownership verification in `Model.upload()` to prevent bucket squatting. As of this publication, no **CVE** has been assigned to this issue. Users of the **Google Cloud Vertex AI SDK for Python** are strongly advised to update to version **1.148.0 or later** to ensure the ownership check is active. Additionally, explicitly setting a `staging_bucket` to a controlled **Cloud Storage** location when uploading models is a recommended best practice. Developers should verify the `google-cloud-aiplatform` version across all environments, including notebooks, CI jobs, and training pipelines. This marks the second predictable-bucket-name flaw in **Vertex AI** this year, following the patch for **CVE-2026-2473** in February, a separate bucket-squatting vulnerability that also led to cross-tenant code execution and model compromise.