Palo Alto Networks Unit 42 said it found a security weakness in Google Cloud Vertex AI that transforms a benign AI agent into a full insider threat bot capable of exfiltrating sensitive data from a target’s cloud environment.
According to Unit 42, the vulnerability enabled low-privilege users to manipulate AI agents to access restricted company data, internal images, and proprietary source code hosted on Google infrastructure.
Vertex AI serves as a cloud-based factory for AI, acting as a central vault for both the proprietary code that powers Large Language Models (LLMs) and the massive datasets used to train them.
Researchers found the weakness lies in Vertex AI’s default setup, which equips its Service Agents (P4SA) with excessive ‘scopes’—essentially a set of master keys. These OAuth 2.0 permissions are so broad they were never meant to be accessible by low-level users.
In simple terms, the flaw is akin to an AI agent that is issued a digital passport that is pre-stamped for every restricted zone in the company. The flaw allows an attacker to borrow the passport via an AI agent who can unlock data across the entire Google Cloud project.
The weakness was disclosed to Google, which then revised its documentation to spell out more clearly how Vertex AI uses resources, accounts and agents. The researchers also pointed to a mitigation strategy that Google now recommends: Bring Your Own Service Account, or BYOSA, which lets customers replace the default service agent with a custom account scoped to least privilege.
The attack vector is unique in that a malicious user doesn’t need to hack into the system directly. Rather, they can prompt an AI agent running inside the Vertex AI environment to perform the privilege escalation and data exfiltration on their behalf — turning the AI itself into the attacker.
Google collaborated with Unit 42 during responsible disclosure.
Photo by Ricardo Gomez Angel on Unsplash
