Vertex AI Agents Expose Cloud Credentials

On April 1, 2026, Palo Alto Networks' Unit 42 disclosed a critical vulnerability in Google Cloud's Vertex AI Agent Engine that lets attackers exfiltrate credentials and data. Researchers showed malicious agents can use Python pickle payloads to retrieve P4SA credentials from the metadata service, enabling cross-project access to GCS, Artifact Registry, and Workspace. Google collaborated on fixes and recommends BYOSA and least-privilege service accounts.
Key Points
- 1Demonstrated exploit allows malicious Vertex AI agents to retrieve P4SA credentials via metadata and pickle deserialization.
- 2Highlights overly broad default P4SA and OAuth scopes, enabling cross-project access to GCS, Artifact Registry, Workspace.
- 3Advises BYOSA and strict least-privilege service accounts, security reviews, and restricted scopes for deployments.
Scoring Rationale
High-impact, credible disclosure from Unit 42 with Google collaboration. Vulnerability exploits default P4SA permissions across Vertex AI, enabling broad credential exfiltration; concrete BYOSA and least-privilege mitigations make the alert directly actionable.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
