Vulnerability Description
A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This vulnerability was patched in versions 1.28.1 and 2.0.0a2. Customers need to redeploy the upgraded ADK to their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-4810?
CVE-2026-4810 is a documented vulnerability. A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an ...
How severe is CVE-2026-4810?
CVSS scoring is not yet available for CVE-2026-4810. Check NVD for updates.
Is there a patch for CVE-2026-4810?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.