What is the Double Agent problem in Vertex AI?

It is a privilege escalation risk where low-privileged users hijack high-privilege Service Agents by exploiting default configurations in Vertex AI Agent Engine and Ray.

How does the Agent Engine vulnerability work?

Attackers with update permissions inject a reverse shell into Python tool code, gain remote code execution, and then steal the Reasoning Engine Service Agent token from the metadata service.

Can a Viewer gain root access in Ray on Vertex AI?

Yes, the Google Cloud console provides a Head node interactive shell link to users with Viewer permissions, granting them root access to the cluster.

What data is at risk from these Vertex AI flaws?

Attackers can access LLM memories, chat sessions, Google Cloud Storage buckets, BigQuery datasets, and Pub/Sub streams.

Has Google patched these privilege escalation paths?

No, Google stated the services are working as intended, so users must manually secure their environments by using custom roles and disabling shell access.

Advisory

Google Vertex AI Flaws Allow Low-Privileged Users to Hijack Service Agents

published: Jan. 18, 2026

Take action: Audit your Google Cloud IAM roles to ensure 'Viewer' users cannot access interactive shells on Ray clusters. Restrict update permissions on reasoning engines to prevent malicious code injection into your AI workflows.

Learn More

Google Vertex AI contains two privilege escalation paths that let low-privileged users hijack high-privilege Service Agents. These flaws affect the Vertex AI Agent Engine and Ray on Vertex AI. Researchers from XM Cyber discovered that default configurations allow attackers to turn "Viewer" permissions into project-wide access. Google currently views these services as working as intended, meaning the risks remain active in standard deployments.

The first attack targets the Vertex AI Agent Engine. Users with the aiplatform.reasoningEngines.update permission can inject malicious Python code into tool definitions. By embedding a reverse shell in a standard function, an attacker gains remote code execution on the compute instance. Once inside, they query the instance metadata service to steal the Reasoning Engine Service Agent token. This agent holds broad rights to access AI memories and storage buckets.

The second flaw involves Ray on Vertex AI. Users with the standard "Vertex AI Viewer" role can access a "Head node interactive shell" directly through the Google Cloud console. This shell provides root access to the head node. From this elevated position, attackers extract the Custom Code Service Agent token. While the token has some IAM limits, it grants full control over several data services across the cloud platform.

Hijacking these Service Agents exposes sensitive corporate data and infrastructure. Attackers can use the stolen identities to read, write, or delete resources. Exposed data items can include:

Vertex AI chat sessions and LLM memories
Google Cloud Storage (GCS) buckets and private objects
BigQuery datasets and Pub/Sub streams
System logs and monitoring data
Cloud platform metadata and project configurations

Teams should move away from default Google Cloud roles and vreate custom roles that follow the principle of least privilege. Disable head node shell access for Ray clusters and audit all Python code before updating reasoning engines.

Google Vertex AI Flaws Allow Low-Privileged Users to Hijack Service Agents

Read More
Critical path traversal flaw reported in jsPDF library
Critical vulnerability reported in Java security framework pac4j
Cursor IDE vulnerability enables persistent code execution through …
GitHub Webhook Secret Exposure: Some Secrets Inadvertently Leaked …
GitHub reports critical vulnerability in its Enterprise Server