CVE-2026-2472 in Vertex AI SDK for Python
Summary
by MITRE • 02/20/2026
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
The stored cross-site scripting vulnerability CVE-2026-2472 affects the _genai/_evals_visualization component within Google Cloud Vertex AI SDK, specifically impacting versions ranging from 1.98.0 through 1.130.0. This vulnerability represents a critical security flaw that enables unauthenticated remote attackers to inject malicious JavaScript code into the victim's browser environment. The flaw occurs within the visualization framework responsible for rendering model evaluation results and dataset JSON data, creating a persistent threat vector that can compromise user sessions and execute unauthorized actions. The vulnerability specifically targets Jupyter and Colab environments where users interact with AI model evaluations, making it particularly dangerous for data scientists and machine learning engineers who regularly analyze model performance metrics. The attack exploits the lack of proper input sanitization and output encoding when processing evaluation results and dataset information, allowing attackers to inject script escape sequences that persist in the visualization layer. This stored nature of the vulnerability means that once malicious code is injected, it will execute every time the affected visualization component renders the compromised data, creating a continuous threat for all users who view the affected evaluation results.
The technical implementation of this vulnerability stems from insufficient validation and sanitization of user-provided data within the evaluation visualization module. When dataset JSON data or model evaluation results contain malicious script payloads, the system fails to properly escape or encode these inputs before rendering them in the browser environment. This allows attackers to inject JavaScript code that executes in the context of the victim's browser session, potentially leading to session hijacking, data exfiltration, or further exploitation of the compromised environment. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and demonstrates how insecure data handling practices can create persistent attack vectors in web-based development environments. The attack requires no authentication from the remote attacker, making it particularly dangerous as it can be exploited by anyone who has access to the affected SDK components or can influence the data being processed. The affected visualization component processes data from various sources including model outputs, evaluation metrics, and dataset metadata, creating multiple potential injection points for malicious payloads.
The operational impact of CVE-2026-2472 extends beyond simple script execution, as it can enable sophisticated attack chains that compromise entire development environments. Users working with Vertex AI in Jupyter or Colab notebooks face potential exposure to credential theft, unauthorized code execution, and data manipulation. The vulnerability is particularly concerning in enterprise environments where multiple users collaborate on machine learning projects, as a single compromised evaluation result can affect all team members who view the visualization. Attackers can leverage this vulnerability to establish persistent access to development environments, potentially leading to broader network compromise through access to model training data, development credentials, or other sensitive information stored in these environments. The vulnerability also affects the integrity of model evaluation data, as attackers can inject malicious code that modifies or corrupts the visualization output, potentially misleading users about model performance metrics or dataset characteristics. This threat is exacerbated by the fact that many data science workflows rely heavily on visualization components for decision-making processes, making the impact of such attacks more severe than typical XSS vulnerabilities.
Mitigation strategies for CVE-2026-2472 require immediate attention and multiple layers of defense to protect affected environments. Organizations should prioritize upgrading to Google Cloud Vertex AI SDK versions 1.131.0 or later, which contain the necessary patches to address the stored XSS vulnerability. System administrators should implement strict input validation and sanitization policies for all data entering the evaluation visualization components, ensuring that no user-provided content is rendered without proper escaping and encoding. The implementation of Content Security Policy headers can provide additional protection by restricting script execution in the affected environments, though this should complement rather than replace proper input validation. Security monitoring should be enhanced to detect unusual patterns in dataset or evaluation result uploads that might indicate malicious injection attempts. Regular security assessments of development environments and notebooks should be conducted to identify potential vulnerabilities in custom visualization components or third-party integrations. Organizations should also consider implementing network segmentation and access controls to limit exposure of development environments to untrusted networks or users. The vulnerability demonstrates the importance of securing development and analysis tools, as these environments often contain sensitive data and represent attractive targets for attackers seeking to compromise data science workflows and machine learning systems.