Yoshizawa

**Name of the Vulnerable Software and Affected Versions** Google Agent Development Kit versions 1.7.0 through 1.28.0 Google Agent Development Kit versions 2.0.0a1 through 2.0.0a1 **Description** Code Injection and Missing Authentication issues in Google Agent Development Kit (ADK) on Python (OSS), Cloud Run, and GKE allow an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. Technical details indicate the issue may involve the '/builder/save' endpoint, which could allow saving and subsequently executing arbitrary scripts on the server. **Recommendations** Update to version 1.28.1 and redeploy to production environments, including local instances of ADK Web. Update to version 2.0.0a2 and redeploy to production environments, including local instances of ADK Web.