An attacker who knows only your company's public Google Cloud project ID, a value often visible in documentation, error messages, or public repositories, could silently replace AI models your teams deploy on Vertex AI with malicious versions, without ever needing a password or inside access. If exploited, the attacker's code runs inside Google's infrastructure using your credentials, potentially exposing data, models, and cloud resources owned by your organization and, critically, resources shared with other tenants on the platform. For organizations using Vertex AI in production AI/ML pipelines, this represents a supply chain risk that could result in data exfiltration, operational disruption of AI-dependent services, and regulatory exposure if the affected pipelines process sensitive or regulated data.
You Are Affected If
You use the Google Cloud Vertex AI SDK for Python (google-cloud-aiplatform) at a version below 1.148.0 in any environment
Your team uploads, registers, or serves ML models through Vertex AI model upload or training pipeline APIs
Your GCP project ID is publicly visible in code repositories, documentation, API responses, or error logs
You have not audited or claimed ownership of Vertex AI default staging buckets in your GCP project
Vertex AI service accounts in your environment hold OAuth scopes with access to cross-project or sensitive resources
Board Talking Points
An attacker needed only our public cloud project ID, not any password or insider access, to potentially replace AI models we deploy with malicious code that runs inside our cloud infrastructure.
Engineering teams should upgrade the affected SDK to version 1.148.0 and audit model artifacts uploaded in the last 90 days within this week.
Without action, any AI model deployed through the affected pipeline could execute attacker-controlled code in our environment and expose credentials with access to broader cloud resources.
HIPAA — if Vertex AI pipelines process, train on, or serve models against protected health information, the OAuth token theft vector creates a reportable unauthorized access risk to ePHI
GDPR — if training data or inference inputs contain personal data of EU residents and the staging bucket was accessible to an unauthorized party, this may constitute a personal data breach requiring notification assessment
