Google Vertex AI Default Configurations Enable Privilege Escalation to Service Agent Roles (2026)

Incident Summary

XM Cyber researchers identified two privilege escalation pathways in Google’s Vertex AI platform on January 17, 2026, affecting the Agent Engine and Ray on Vertex AI components.^[1] In the Ray on Vertex pathway, users with only read-only Viewer permissions (specifically aiplatform.persistentResources.list and aiplatform.persistentResources.Get) could access the Ray cluster head node’s interactive shell through the GCP Console, obtaining root-level access and the ability to extract the Custom Code Service Agent’s access token from the metadata service.^[2] This token grants full control over cloud storage (devstorage.full_control), BigQuery, Pub/Sub, and read-only access across the cloud platform — capabilities far exceeding the original Viewer role.^[1] In the Agent Engine pathway, code injection through tool calls enabled access to memories, storage, and logs.^[1] Google responded that the behavior is “working as intended,” meaning the privilege escalation pathways remain active in default deployments.^[3]

Key Facts

• Two attack vectors: Agent Engine (code injection via tool calls) and Ray on Vertex AI (Viewer to root shell escalation)^[1]
• Ray escalation path: Users with read-only Viewer permissions access the head node interactive shell via GCP Console → root access → metadata service query → Service Agent token extraction^[2]
• Token capabilities: Extracted Custom Code Service Agent token grants devstorage.full_control, BigQuery access, Pub/Sub access, and read-only platform access^[1]
• Discovery: XM Cyber researchers, reported January 17, 2026^[1]
• Google response: Characterized as “working as intended” — the risks remain active in default deployments^[3]
• No remediation: No configuration changes or patches announced by Google^[3]

Threat Patterns Involved

Primary: Tool Misuse & Privilege Escalation — The Vertex AI platform’s default configuration grants AI infrastructure components (Ray clusters, Agent Engine) Service Agent tokens with broad cloud resource access. When low-privilege users can interact with these components through intended platform features (the GCP Console shell), the platform’s own access model becomes the escalation mechanism. The “working as intended” response indicates this is a design-level risk rather than a software bug.

Significance

1. “Working as intended” as a security gap — Google’s characterization of the privilege escalation as intended behavior highlights a fundamental tension in AI platform design between developer convenience and security isolation, leaving organizations responsible for mitigating a risk embedded in the platform’s default configuration
2. AI platform insider threat amplification — The ability for any Viewer-role user to escalate to Service Agent access in Vertex AI deployments significantly expands the insider threat surface for organizations using the platform
3. Shared responsibility model ambiguity — The incident demonstrates that cloud AI platforms may grant AI infrastructure components (agents, compute clusters) elevated permissions that exceed what organizations expect based on the human user roles they assign