The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-2472

CVE-2026-2472: Google Cloud Vertex AI SDK XSS Vulnerability

CVE-2026-2472 is a stored XSS flaw in Google Cloud Vertex AI SDK that allows attackers to execute arbitrary JavaScript in Jupyter or Colab environments. This post covers technical details, affected versions, impact, and mitigation.

Published: February 27, 2026

CVE-2026-2472 Overview

A Stored Cross-Site Scripting (XSS) vulnerability exists in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform). This vulnerability affects versions from 1.98.0 up to (but not including) 1.131.0 and allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Critical Impact

Attackers can execute arbitrary JavaScript code in victim's Jupyter or Colab environments, potentially leading to data theft, session hijacking, or further compromise of machine learning workflows.

Affected Products

  • Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions 1.98.0 to 1.130.x
  • Jupyter Notebook environments using affected SDK versions
  • Google Colab environments with vulnerable SDK installations

Discovery Timeline

  • 2026-02-20 - CVE CVE-2026-2472 published to NVD
  • 2026-02-23 - Last updated in NVD database

Technical Details for CVE-2026-2472

Vulnerability Analysis

This Stored XSS vulnerability (CWE-79) resides in the evaluation visualization component of Google Cloud's Vertex AI SDK. The _genai/_evals_visualization module fails to properly sanitize user-controlled input when rendering model evaluation results and dataset JSON data within interactive notebook environments.

When users work with Vertex AI's evaluation features in Jupyter notebooks or Google Colab, the SDK renders visualization outputs that include model evaluation metrics and dataset contents. The vulnerability arises because script escape sequences embedded within these data sources are not adequately escaped or sanitized before being rendered in the notebook's HTML output context.

The attack surface is particularly concerning because it targets machine learning practitioners who routinely process untrusted datasets and model outputs. An attacker can craft malicious JSON payloads containing JavaScript that executes when the victim views evaluation results.

Root Cause

The root cause is improper input validation and insufficient output encoding in the _genai/_evals_visualization component. The SDK fails to sanitize script escape sequences present in model evaluation results or dataset JSON data before rendering them in HTML visualization components. This allows attackers to inject executable JavaScript that persists in the visualization output.

Attack Vector

The attack exploits the network-accessible nature of machine learning workflows. An attacker can inject malicious JavaScript payloads into model evaluation results or dataset JSON data that will later be processed by a victim using the vulnerable Vertex AI SDK. When the victim loads and visualizes this data in their Jupyter or Colab environment, the injected script executes within their browser context.

This is particularly dangerous in collaborative ML workflows where datasets and model outputs are shared between team members. The stored nature of this XSS means the malicious payload persists in the data and can affect multiple users who access the same resources.

The vulnerability does not require authentication for the attacker, though it does require user interaction (the victim must view the malicious visualization). Once triggered, the attacker can potentially access sensitive data within the notebook environment, steal authentication tokens, or manipulate ML workflows.

Detection Methods for CVE-2026-2472

Indicators of Compromise

  • Unusual JavaScript patterns in model evaluation result files or dataset JSON containing <script> tags or event handlers
  • Unexpected network requests originating from Jupyter or Colab notebooks to external domains
  • Browser console errors or warnings related to Content Security Policy violations during visualization rendering
  • Modified or tampered dataset JSON files with embedded script escape sequences

Detection Strategies

  • Implement static analysis scanning for JavaScript injection patterns in model evaluation outputs and datasets before visualization
  • Monitor network traffic from notebook environments for suspicious outbound connections to unknown destinations
  • Enable browser developer tools logging to detect unexpected script execution during visualization workflows
  • Review audit logs for unusual data access patterns or modifications to shared datasets

Monitoring Recommendations

  • Deploy endpoint detection and response (EDR) solutions capable of monitoring browser-based JavaScript execution within notebook environments
  • Implement Content Security Policy (CSP) headers in Jupyter deployments to restrict unauthorized script execution
  • Enable logging of all dataset imports and model evaluation result processing activities
  • Configure alerting for anomalous data patterns in ML pipelines, particularly in shared or collaborative environments

How to Mitigate CVE-2026-2472

Immediate Actions Required

  • Upgrade google-cloud-aiplatform SDK to version 1.131.0 or later immediately
  • Audit all datasets and model evaluation results for potential injection payloads before visualization
  • Implement input validation for any externally-sourced evaluation data or datasets
  • Consider isolating ML visualization workflows to sandboxed environments until patches are applied

Patch Information

Google has addressed this vulnerability in version 1.131.0 of the google-cloud-aiplatform SDK. Users should upgrade to this version or later to receive the security fix. For detailed patch information, refer to the Google Cloud Security Bulletin.

Workarounds

  • Avoid processing untrusted datasets or model evaluation results in Jupyter/Colab environments until upgraded
  • Implement strict Content Security Policy headers in Jupyter deployments to prevent inline script execution
  • Review and sanitize all JSON data inputs before using visualization features
  • Use isolated virtual environments for processing potentially untrusted ML data
bash
# Upgrade to patched version
pip install --upgrade google-cloud-aiplatform>=1.131.0

# Verify installed version
pip show google-cloud-aiplatform | grep Version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechGoogle Cloud Vertex Ai
  • SeverityHIGH
  • CVSS Score8.6
  • EPSS Probability0.19%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-79
  • Technical References
  • Google Cloud Security Bulletin
  • Related CVEs
  • CVE-2026-2473: Google Cloud Vertex AI RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English