CVE-2026-2473 in Vertex AI Experiments
Summary
by MITRE • 02/20/2026
Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).
This vulnerability was patched and no customer action is needed.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-2473 represents a critical security flaw in Google Cloud Vertex AI Experiments affecting versions 1.21.0 through 1.132.0. This issue stems from predictable bucket naming mechanisms that enable attackers to exploit the system's resource allocation patterns. The flaw allows unauthenticated remote attackers to perform cross-tenant remote code execution, model theft, and poisoning attacks by pre-creating Cloud Storage buckets with predictable names. The vulnerability's classification aligns with CWE-200, which addresses information exposure through predictable resource names, and demonstrates how predictable naming schemes can lead to severe privilege escalation and data compromise scenarios.
The technical implementation of this vulnerability exploits the predictable nature of bucket naming conventions within Vertex AI Experiments. Attackers can leverage this predictability to squat on bucket names that the system would normally create during legitimate operations, effectively pre-occupying resources that should remain isolated to specific tenants. This bucket squatting technique enables attackers to intercept or manipulate data flows between different customer environments, creating opportunities for cross-tenant data leakage and code execution. The attack vector operates entirely remotely without requiring authentication credentials, making it particularly dangerous as it bypasses traditional access control mechanisms.
The operational impact of CVE-2026-2473 extends beyond simple data theft to encompass full system compromise capabilities. Cross-tenant remote code execution allows attackers to execute arbitrary code within the context of other customers' workloads, potentially leading to complete system infiltration. Model theft represents a significant business risk as proprietary machine learning models can be extracted and repurposed by malicious actors. Model poisoning attacks can corrupt training data and compromise the integrity of AI systems, potentially affecting hundreds or thousands of customers depending on the scale of the vulnerability exploitation. The vulnerability affects the core infrastructure of Vertex AI Experiments, making it a critical concern for organizations relying on Google Cloud's machine learning services.
The mitigation strategy for this vulnerability involves immediate patching of affected systems, as Google has already released fixes for this issue. Organizations should verify that their Vertex AI Experiments environments are running patched versions of the software to prevent exploitation. The vulnerability's resolution demonstrates the importance of proper resource naming conventions and isolation mechanisms in multi-tenant cloud environments. Security teams should implement monitoring for anomalous bucket creation patterns and establish automated detection mechanisms for potential bucket squatting activities. This vulnerability also highlights the need for comprehensive security testing of naming and resource allocation mechanisms, particularly in systems handling sensitive data and machine learning models. The fix addresses the root cause by implementing non-predictable bucket naming and strengthening tenant isolation boundaries, aligning with security best practices outlined in cloud security frameworks and standards.