CVE-2026-4810 Overview
A critical Code Injection and Missing Authentication vulnerability has been identified in Google Agent Development Kit (ADK), a framework used for developing AI agents. The vulnerability affects ADK versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) running on Python (OSS), Cloud Run, and Google Kubernetes Engine (GKE) platforms. This security flaw allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance, potentially leading to complete system compromise.
Critical Impact
Unauthenticated remote attackers can execute arbitrary code on servers running vulnerable ADK instances, enabling full system takeover without requiring any credentials.
Affected Products
- Google Agent Development Kit (ADK) versions 1.7.0 through 1.28.0 (Python OSS)
- Google Agent Development Kit (ADK) versions 2.0.0a1 through 2.0.0a2 (Alpha releases)
- ADK deployments on Cloud Run, GKE, and local ADK Web instances
Discovery Timeline
- 2026-04-13 - CVE-2026-4810 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-4810
Vulnerability Analysis
This vulnerability combines two dangerous security weaknesses: Code Injection (allowing attackers to inject and execute malicious code) and Missing Authentication (CWE-306), which permits unauthenticated access to critical functionality. The combination is particularly severe as it creates a direct path for remote attackers to compromise ADK instances without needing any credentials or user interaction.
The network-accessible nature of this vulnerability means that any ADK instance exposed to the network—whether deployed on Cloud Run, GKE, or running locally via ADK Web—is potentially at risk. The lack of authentication requirements means attackers can directly target vulnerable endpoints to inject and execute arbitrary code with the privileges of the ADK process.
Root Cause
The root cause stems from Missing Authentication for Critical Function (CWE-306). The ADK framework failed to implement proper authentication controls on endpoints that accept and process code or commands, combined with insufficient input validation that allows code injection. This architectural oversight permits unauthenticated users to access functionality that should require authentication, and subsequently inject malicious code payloads.
Attack Vector
The attack is conducted over the network without requiring any user interaction or prior authentication. An attacker can craft malicious requests targeting vulnerable ADK endpoints to inject arbitrary code that will be executed on the hosting server. The exploitation path does not require any privileges, making it highly accessible to attackers.
Given the deployment contexts (Cloud Run, GKE, local instances), successful exploitation could provide attackers with:
- Access to cloud service credentials and metadata
- Lateral movement capabilities within container orchestration environments
- Access to sensitive data processed by AI agents
- Persistence mechanisms within the compromised infrastructure
Due to the absence of verified proof-of-concept code, specific exploitation techniques are not detailed here. Organizations should refer to the GitHub Changelog for ADK-Python for additional technical context on the vulnerability and patches.
Detection Methods for CVE-2026-4810
Indicators of Compromise
- Unusual process spawning or command execution from ADK service processes
- Unexpected outbound network connections from ADK instances
- Anomalous API requests to ADK endpoints containing code-like payloads or injection patterns
- Unauthorized file system modifications or new file creation in ADK deployment directories
Detection Strategies
- Monitor ADK service logs for malformed or suspicious requests targeting code execution endpoints
- Implement network-level inspection for requests containing code injection patterns destined for ADK instances
- Deploy runtime application self-protection (RASP) to detect code injection attempts
- Establish baseline behavior for ADK instances and alert on deviations in process execution or network activity
Monitoring Recommendations
- Enable verbose logging on all ADK deployments to capture detailed request information
- Configure cloud provider security services (Cloud Audit Logs for GCP, Container-level logging for GKE) to monitor ADK workloads
- Set up alerts for authentication failures or unauthorized access attempts on ADK services
- Monitor container and pod activity in GKE deployments for signs of compromise
How to Mitigate CVE-2026-4810
Immediate Actions Required
- Upgrade Google Agent Development Kit to version 1.28.1 or 2.0.0a2 immediately
- Redeploy upgraded ADK to all production environments on Cloud Run and GKE
- Upgrade local ADK Web instances to the patched version
- Implement network segmentation to limit exposure of ADK instances until patching is complete
Patch Information
Google has released patched versions 1.28.1 and 2.0.0a2 that address this vulnerability. Organizations must not only upgrade the ADK package but also redeploy the upgraded version to their production environments. Local ADK Web instances require separate upgrades. Detailed changelog information is available in the GitHub Changelog for ADK-Python.
Workarounds
- Implement network-level access controls to restrict ADK instance access to trusted IP ranges only
- Deploy a Web Application Firewall (WAF) in front of ADK instances to filter malicious requests
- Enable authentication at the infrastructure level (API Gateway, Load Balancer) if ADK authentication cannot be immediately remediated
- Consider temporarily taking vulnerable ADK instances offline if they process sensitive data and cannot be immediately patched
# Example: Upgrade ADK-Python to patched version
pip install --upgrade google-adk>=1.28.1
# Verify installed version
pip show google-adk | grep Version
# For GKE deployments, rebuild and redeploy container images
# kubectl set image deployment/adk-deployment adk-container=your-registry/adk-image:patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
