Google Agent Development Kit (ADK) 1.7.0 - 1.28.0, 2.0.0a1
Summary
This is an unauthenticated code injection and missing authentication vulnerability affecting Google Agent Development Kit. It allows remote attackers to execute arbitrary code on any server hosting a vulnerable ADK instance. No prior authentication is required to exploit this flaw, making it easily accessible to attackers.
Remediation
Upgrade Google ADK to version 1.28.1 or 2.0.0a2 to patch this vulnerability. After upgrading, redeploy the updated ADK to all production environments. Any local ADK Web instances must also be upgraded to the fixed version.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.