Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

Customers

CVE-2026-2473 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2026-2473

CVE-2026-2473

HIGH7.7

Bucket Squatting in Vertex AI Experiments leads to RCE and Model Theft.

Published Feb 20, 2026

Modified 1 weeks ago

Details

Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

This vulnerability was patched and no customer action is needed.

References

WEB

https://docs.cloud.google.com/support/bulletins#gcp-2026-012

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-2473

CVSS Analysis

CVSS v4.0

7.7

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

PresentAT:P

Privileges Required

NonePR:N

User Interaction

PassiveUI:P

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

7.7/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

Weakness Type (CWE)

Other

CWE-340

Ecosystems

Timeline

PublishedFeb 20, 2026

ModifiedFeb 23, 2026