Full Report
Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence (AI) agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment. According to Palo Alto Networks Unit 42, the issue relates to how the Vertex AI permission model can be misused
Analysis Summary
# Vulnerability: Vertex AI Service Agent Excessive Permission Scoping
## CVE Details
- **CVE ID**: Not Assigned (Design Flaw/Permission Misconfiguration)
- **CVSS Score**: N/A (High Impact)
- **CWE**: CWE-267 (Privilege Defined With Unsafe Actions); CWE-732 (Incorrect Permission Assignment for Critical Resource)
## Affected Systems
- **Products**: Google Cloud Platform (GCP) Vertex AI
- **Versions**: Current versions utilizing the Agent Development Kit (ADK) and Agent Engine.
- **Configurations**: Deployments using the default Per-Project, Per-Product Service Agent (P4SA) instead of custom service accounts.
## Vulnerability Description
Researchers discovered a "blind spot" in the Vertex AI permission model where the default Service Agent is granted excessive permissions. When an AI agent is deployed via the Agent Engine, any call to the agent invokes Google's metadata service. This exposure allows an attacker to extract the service agent’s credentials (OAuth tokens). Due to the overly broad default scoping, these credentials allow an attacker to pivot from the AI agent's restricted execution context into the broader customer project and Google-managed tenant projects.
## Exploitation
- **Status**: PoC available (Demonstrated by Palo Alto Networks Unit 42)
- **Complexity**: Medium
- **Attack Vector**: Network (via interaction with the AI Agent)
## Impact
- **Confidentiality**: **High** (Unrestricted read access to Google Cloud Storage buckets and private Artifact Registry repositories).
- **Integrity**: **Medium** (Potential mapping of software supply chains and discovery of proprietary blueprints).
- **Availability**: **Low** (Main focus is data exfiltration and IP theft).
## Remediation
### Patches
- As this is a design/permission architectural issue rather than a software bug, there is no "patch" in the traditional sense. Google has updated documentation to clarify resource and account usage.
### Workarounds
- **Bring Your Own Service Account (BYOSA)**: Replace the default P4SA service agent with a custom service account managed by the user.
- **Principle of Least Privilege (PoLP)**: Manually audit and restrict the permissions assigned to AI agents to the absolute minimum required for their specific tasks.
- **OAuth Scope Restriction**: Limit the OAuth scopes available to the machine hosting the AI agent.
## Detection
- **Indicators of Compromise**:
- Unusual access patterns to Cloud Storage buckets from Vertex AI service identities.
- Unexpected calls to the Google Cloud Metadata Service (`metadata.google.internal`).
- Unauthorized downloads or "listing" actions in the Artifact Registry from P4SA accounts.
- **Detection methods and tools**:
- Monitor GCP Audit Logs (specifically Data Access logs) for the Service Agent identity.
- Use Cloud Asset Inventory to identify AI agents using default P4SA permissions.
## References
- **Vendor Advisory**: hxxps://docs.cloud.google.com/iam/docs/service-agents
- **Unit 42 Research**: hxxps://unit42.paloaltonetworks[.]com/double-agents-vertex-ai/
- **News Source**: hxxps://thehackernews[.]com/2026/03/vertex-ai-vulnerability-exposes-google.html