The Vertex AI double agent flaw represents a critical security blind spot in Google Cloud’s AI platform that researchers have only recently exposed. Unit 42 researchers from Palo Alto Networks discovered that misconfigured or overprivileged AI agents deployed on Vertex AI can secretly act as double agents, exfiltrating sensitive customer data and Google’s internal code across cloud tenants. The vulnerability stems from default overbroad permissions assigned to service agents, allowing low-privileged users to hijack high-privilege accounts and deploy malicious AI workloads that appear benign while quietly stealing data in the background.
Key Takeaways
- Unit 42 researchers discovered the Vertex AI double agent flaw affecting Google Cloud Platform’s AI service agents
- Overprivileged service agents with excessive default permissions enable privilege escalation attacks
- Malicious AI agents can exfiltrate customer datasets, Google internal code, and private artifacts across tenants
- Related CVE-2026-2473 allows unauthenticated remote code execution and model theft via predictable endpoints
- Vulnerability published March 31, 2026, amid rising enterprise AI adoption and security concerns
How the Vertex AI Double Agent Flaw Works
The Vertex AI double agent flaw exploits a fundamental architectural weakness: service agents inherit default permissions far broader than they need. A low-privileged user can create what appears to be a standard AI agent, but this agent leverages its overbroad default permissions to escalate privileges within the cloud environment. Once elevated, the agent acts as a double agent—performing its assigned tasks normally while secretly querying and exfiltrating high-privilege resources. The attacker gains access to customer datasets, Google internal artifacts, and sensitive code without triggering obvious alarms because the malicious activity occurs within an authorized service’s normal permission scope.
The exploitation process is straightforward enough that researchers demonstrated it as a proof of concept. A low-privileged attacker deploys a malicious AI agent that appears to serve a legitimate function. The agent then uses its inherited high-privilege permissions to access resources it should never touch, exfiltrating data back to the attacker’s infrastructure. This design flaw means that every Vertex AI customer using service agents with default configurations faces potential exposure.
Critical Privilege Escalation Vulnerabilities Enable Wider Compromise
Two critical privilege escalation vulnerabilities compound the double agent problem, allowing attackers to compromise entire cloud environments. The related CVE-2026-2473 is particularly severe: it enables unauthenticated remote attackers to achieve cross-tenant remote code execution, model theft, and model poisoning by exploiting pre-created predictable endpoints. This means an attacker outside an organization can potentially gain access to another customer’s Vertex AI infrastructure without any credentials, simply by predicting endpoint URLs. The predictability of these endpoints—a configuration oversight in GCP’s default setup—transforms the double agent flaw from a privilege escalation issue into a cross-tenant data breach vector.
The combination of overprivileged agents and predictable endpoints creates a compounding risk. An attacker can not only steal data but also poison machine learning models deployed by other customers, potentially corrupting AI systems across multiple organizations. Google Cloud’s security bulletins acknowledge that the vulnerability disclosure-to-exploitation window has collapsed to days, meaning organizations have minimal time to patch before attackers weaponize the flaw.
Why This Matters for Enterprise AI Adoption
The Vertex AI double agent flaw exposes a critical gap in how enterprises think about AI agent security. As organizations rush to deploy AI agents for automation, cost reduction, and operational efficiency, they often inherit default configurations without understanding the permission model. Most teams deploying Vertex AI focus on functionality—does the agent work?—rather than security posture—what can the agent access?. This gap between deployment speed and security hardening is exactly where the double agent flaw thrives.
Google Cloud’s threat horizon reports indicate an expected surge in prompt injection attacks and agent-based exploitation in 2026. The Vertex AI double agent flaw demonstrates that these attacks do not require sophisticated zero-days; they exploit architectural decisions and default configurations that organizations overlook. Unlike traditional cloud vulnerabilities that affect specific services, the double agent flaw affects any organization using Vertex AI service agents without explicit permission restrictions. This breadth of exposure makes it fundamentally different from typical CVEs that impact a narrow set of configurations.
What Organizations Should Do Now
Organizations using Vertex AI service agents should immediately audit their agent configurations and apply principle of least privilege to all service agent permissions. Rather than accepting default permissions, explicitly define what each agent needs to access—specific datasets, models, or resources—and restrict permissions accordingly. This is not a patch-and-move-on vulnerability; it requires architectural changes to how agents are deployed and what permissions they inherit.
Monitoring is equally critical. Organizations should implement logging and alerting on service agent access patterns, especially cross-tenant queries or access to sensitive internal artifacts. Unusual data exfiltration attempts should trigger immediate investigation. The double agent nature of the flaw means that malicious activity occurs within authorized service contexts, so behavioral analysis and baseline deviation detection become essential security controls.
Does the Vertex AI double agent flaw affect all Google Cloud customers?
The Vertex AI double agent flaw specifically affects customers using Vertex AI service agents with default or overprivileged configurations. Organizations that have explicitly restricted service agent permissions to the minimum required scope face lower risk, but the default configuration leaves most deployments vulnerable.
Can I still use Vertex AI safely after this disclosure?
Yes, but only with explicit security hardening. Apply principle of least privilege to all service agent permissions, audit existing agent configurations, and implement monitoring for suspicious access patterns. The vulnerability is a configuration and architectural issue, not a fundamental flaw in Vertex AI’s core functionality.
What is CVE-2026-2473 and how does it relate to the double agent flaw?
CVE-2026-2473 is a related privilege escalation vulnerability that enables unauthenticated remote code execution and model theft via predictable endpoints. It compounds the double agent flaw by allowing attackers outside an organization to gain access without credentials, turning the privilege escalation issue into a cross-tenant breach vector.
The Vertex AI double agent flaw is a stark reminder that AI security is not just about preventing malicious prompts or poisoned training data—it is about fundamental cloud architecture and permission models. As enterprises accelerate AI adoption, the security practices that worked for traditional cloud workloads must evolve to account for the unique risks that AI agents introduce. The flaw was discovered by security researchers, not by victims discovering breaches in production, which means the window to secure Vertex AI deployments is still open. Organizations that act now can harden their configurations before attackers weaponize the vulnerability at scale.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
