Description
Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

This vulnerability was patched and no customer action is needed.
Published: 2026-02-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: No action
AI Analysis

Impact

An attacker can pre‑create predictably named Cloud Storage buckets to exploit predictable bucket naming in Google Cloud Vertex AI Experiments versions 1.21.0 to 1.133.0. By doing so, the attacker can gain cross‑tenant remote code execution, steal trained models, or poison models running on other tenants' data. The weakness is a predictable naming scheme that lacks proper authorization checks, documented as CWE‑340.

Affected Systems

Google Cloud Vertex AI Experiments versions 1.21.0 through 1.133.0 (excluding 1.133.0) are affected. Any tenant using these versions is susceptible.

Risk and Exploitability

The CVSS base score is 7.7, indicating moderate severity, while the EPSS score is less than 1%, implying a very low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attacks can be launched without prior authentication by creating buckets with predictable names. Google has patched the issue; no customer action is required at this time.

Generated by OpenCVE AI on April 18, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor Cloud Storage for unexpected bucket creation events that match faulty naming patterns.
  • Apply stricter IAM policies to limit bucket creation and naming rights to trusted accounts only.
  • Enable Cloud Audit Logging for bucket creation events to detect suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wh2j-26j7-9728 Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming
History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Google Cloud
Google Cloud vertex Ai Experiments
Vendors & Products Google Cloud
Google Cloud vertex Ai Experiments

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting). This vulnerability was patched and no customer action is needed.
Title Bucket Squatting in Vertex AI Experiments leads to RCE and Model Theft.
Weaknesses CWE-340
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear'}

Subscriptions

Google Cloud Vertex Ai Experiments
cve-icon MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published:

Updated: 2026-02-23T19:54:20.923Z

Reserved: 2026-02-13T15:41:59.549Z

Link: CVE-2026-2473

cve-icon Vulnrichment

Updated: 2026-02-23T19:52:32.652Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T20:25:24.497

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses