GCP Cross‑Tenant Bucket Flaw Reported

Cloud customers share the same provider hardware, but they are supposed to get separate rooms. A newly disclosed Google Cloud flaw showed how a guessed storage bucket name could break that separation in some managed services. (owasp.org) Google Cloud disclosed on February 20, 2026 that Vertex AI Experiments had a vulnerability in versions 1.21.0 up to, but not including, 1.133.0. Google said predictable bucket naming could let an unauthenticated attacker pre-create a Cloud Storage bucket and trigger cross-tenant remote code execution, model theft, or model poisoning. (docs.cloud.google.com) (nvd.nist.gov) In plain terms, a bucket is a cloud storage folder with a globally unique name. If a service automatically picks an easy-to-guess name, an attacker can register that name first and make a victim service write data into the attacker’s bucket instead. (nvd.nist.gov) (github.com) That attack is often called bucket squatting. Google’s bulletin says the Vertex AI issue was patched and that no customer action was needed for mitigation, while the GitHub advisory lists version 1.133.0 as the patched release. (docs.cloud.google.com) (github.com) The disclosure landed amid a run of cross-tenant findings in Google Cloud managed services. In January 2026, researcher Omer Amiad disclosed “GatewayToHeaven,” a Google Cloud Apigee flaw that he said allowed read and write access to cross-tenant logs and analytics data, including plaintext access tokens in some cases. (omeramiad.com) (focalsecurity.io) Google’s own bug tracker also shows another bucket-squatting report in Application Design Center. In that case, researcher Jakub Domeracki said a service-created bucket name followed the pattern `${project_id}-us-central1-adc`, which could let an attacker claim it before the victim enabled the service. (bughunters.google.com) These bugs all turn on the same cloud design rule: one tenant must never be able to predict, claim, or reuse another tenant’s internal resource names. OWASP’s Cloud Tenant Isolation project describes cross-tenant flaws as failures of the security boundaries that are supposed to keep unrelated customers apart. (owasp.org) For companies using managed cloud services, the hard part is that the vulnerable code often runs in infrastructure the provider controls. Google said the Vertex AI issue was fixed on its side, which closed the immediate flaw, but the pattern keeps drawing scrutiny because tenant isolation is the core promise behind shared cloud platforms. (docs.cloud.google.com) (owasp.org)