Researchers at Palo Alto Networks Unit 42 disclosed a permission-model flaw in Google Cloud’s Vertex AI that could let attackers weaponize AI agents to exfiltrate sensitive data and compromise cloud environments. By abusing the Per-Project, Per-Product Service Agent (P4SA) and Agent Engine deployment behavior, attackers can retrieve service-agent credentials via the metadata service and escalate access to customer projects and certain Google-owned resources. #VertexAI #P4SA #AgentEngine #ArtifactRegistry #GoogleCloud
Keypoints
- Unit 42 identified excessive default permissions granted to the P4SA used by Vertex AI agents.
- Calls to a deployed Vertex AI agent invoke the metadata service and expose service-agent credentials and project scopes.
- Stolen credentials enabled lateral movement from the agent context into customer projects, allowing read access to Google Cloud Storage buckets.
- The same credentials revealed and allowed downloading of restricted Artifact Registry images, exposing proprietary Google code.
- Google updated documentation and recommends using BYOSA and enforcing least-privilege permissions to mitigate the risk.
Read More: https://thehackernews.com/2026/03/vertex-ai-vulnerability-exposes-google.html