DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2472: Poisoned Notebooks: Stored XSS in Google Vertex AI SDK

#security #cve #cybersecurity

Poisoned Notebooks: Stored XSS in Google Vertex AI SDK

Vulnerability ID: CVE-2026-2472
CVSS Score: 8.6
Published: 2026-02-20

A critical Stored Cross-Site Scripting (XSS) vulnerability in the Google Cloud Vertex AI Python SDK allows attackers to execute arbitrary JavaScript within a victim's Jupyter or Colab environment. By poisoning model evaluation datasets, an attacker can hijack the visualization rendering process to exfiltrate credentials or manipulate notebook sessions.

TL;DR

The Vertex AI SDK for Python (v1.98.0 - v1.130.0) unsafely embedded JSON data into HTML reports. Attackers can inject malicious scripts into datasets or model outputs, which execute when a victim visualizes the evaluation results in Jupyter/Colab. Upgrade to 1.131.0 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-2472
  • CVSS v4.0: 8.6 (High)
  • CWE: CWE-79 (Stored XSS)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H
  • Affected Versions: 1.98.0 - 1.130.0
  • Fix Version: 1.131.0

Affected Systems

  • Google Cloud Vertex AI SDK for Python
  • Jupyter Notebooks using Vertex AI
  • Google Colab instances using Vertex AI
  • Vertex AI Workbench
  • google-cloud-aiplatform: >= 1.98.0, < 1.131.0 (Fixed in: 1.131.0)

Code Analysis

Commit: 8a00d43

Fix: Encode JSON payload to Base64 to prevent XSS

- var vizData_vertex_eval_sdk = {eval_result_json};
+ var vizData_vertex_eval_sdk = JSON.parse(new TextDecoder().decode(Uint8Array.from(atob("{payload_b64}"), c => c.charCodeAt(0))));
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Exploit involves injecting '...&#39; into JSON fields processed by _get_evaluation_html.</li> </ul> <h2> <a name="mitigation-strategies" href="#mitigation-strategies" class="anchor"> </a> Mitigation Strategies </h2> <ul> <li>Input Sanitization</li> <li>Output Encoding</li> <li>Dependency Management</li> </ul> <p><strong>Remediation Steps:</strong></p> <ol> <li>Identify installed version: <code>pip show google-cloud-aiplatform</code></li> <li>Upgrade to fixed version: <code>pip install --upgrade google-cloud-aiplatform&gt;=1.131.0</code></li> <li>Restart Jupyter kernel to ensure the new library is loaded.</li> </ol> <h2> <a name="references" href="#references" class="anchor"> </a> References </h2> <ul> <li><a href="https://docs.cloud.google.com/support/bulletins#gcp-2026-011">Google Cloud Security Bulletin GCP-2026-011</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-2472">NVD - CVE-2026-2472</a></li> </ul> <hr> <p><em><a href="https://cvereports.com/reports/CVE-2026-2472">Read the full report for CVE-2026-2472 on our website</a> for more details including interactive diagrams and full exploit analysis.</em></p>

Top comments (0)