PT-2026-32287 · Google · Agent Development Kit
Yoshizawa
·
Published
2026-04-13
·
Updated
2026-04-17
·
CVE-2026-4810
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Amber |
Name of the Vulnerable Software and Affected Versions
Google Agent Development Kit versions 1.7.0 through 1.28.0
Google Agent Development Kit versions 2.0.0a1 through 2.0.0a1
Description
Code Injection and Missing Authentication issues in Google Agent Development Kit (ADK) on Python (OSS), Cloud Run, and GKE allow an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. Technical details indicate the issue may involve the '/builder/save' endpoint, which could allow saving and subsequently executing arbitrary scripts on the server.
Recommendations
Update to version 1.28.1 and redeploy to production environments, including local instances of ADK Web.
Update to version 2.0.0a2 and redeploy to production environments, including local instances of ADK Web.
Fix
RCE
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Agent Development Kit