The Hacker News · Jun 16, 2026 19:05 UTC

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

Summary

A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim's project hijack the victim's machine learning model upload and run code inside Google's serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google's bug bounty program, calls the technique "Pickle in the Middle" and said it saw no exploitation in the wild.

Original reporting

Open original source

Related coverage

Read full article on The Hacker News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

Original reporting

Related coverage

Z.ai’s open-weights GLM-5.2 beats GPT-5.5 on multiple long-horizon coding benchmarks for 1/6th the cost

Can Hormuz be bypassed? Past shows commercial viability may simply not be there, analyst says

Python dev saved from disaster by intuition...and AI

Hormuz reopening may ease fertilizer prices for farmers