Unauthenticated RCE fixed in Google Agent Development Kit
TL;DR — A Critical missing-auth + code-injection flaw in Google ADK can allow unauthenticated remote attackers to execute arbitrary code on servers hosting exposed ADK instances.
What happened
Google Agent Development Kit (ADK) is an open-source framework for building and deploying AI agents, including deployments on Python (OSS) as well as Google Cloud environments like Cloud Run and GKE.
CVE-2026-4810 describes a Code Injection issue combined with Missing Authentication for a critical function that can allow an unauthenticated remote attacker to execute arbitrary code on the server hosting an ADK instance.
| Item | Source value |
|---|---|
| Severity | CVSS v4.0 9.3 (Critical) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Amber |
| Exploit maturity (CVSS) | PROOF_OF_CONCEPT |
| Vulnerability class (CWE) | CWE-306 Missing authentication for critical function |
Unauthenticated RCE in agent runtimes is high-impact because these services often run with broad environment access (tokens, service accounts, internal network reachability), turning a single exposed endpoint into full service compromise.
Who is impacted
- ADK deployments on Python (OSS), Cloud Run, and GKE in the affected ranges described by the CVE.
- Teams exposing ADK-backed services to untrusted networks (internet-facing endpoints, partner-accessible environments, or shared internal platforms where tenant boundaries matter).
| Component | Affected versions (CVE record) | Patch statement (CVE record) |
|---|---|---|
Agent Development Kit (ADK) | >= 1.7.0 and < 1.28.1 | "patched in versions 1.28.1" |
Agent Development Kit (ADK) | >= 2.0.0a1 and < 2.0.0a2 | "patched in versions 2.0.0a2" |
Note: The CVE record also explicitly calls out ADK Web local usage as requiring an upgrade if you run it locally.
What to do now
- Follow vendor remediation guidance and apply the fix as described in the CVE record.
- Vendor guidance (verbatim):
"Customers need to redeploy the ADK to version 1.28.1 (or 2.0.0a2) or later to receive the fix on their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance."
- Inventory where ADK is running (repos/lockfiles, container images, Cloud Run services, GKE deployments) and confirm whether any deployments fall into the affected ranges.
- Because the impact is server-side arbitrary code execution, if compromise is suspected: review inbound request logs for unexpected execution paths, and rotate credentials reachable by the impacted service (API keys, service account tokens, signing keys).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.