Code Injection and Missing Authentication in Google Agent Development Kit
CVE-2026-4810

9.3CRITICAL

Key Information:

Vendor: Google Cloud
Status: Agent Development Kit (adk)
Vendor: CVE Published:; 13 April 2026

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2026-4810?

A vulnerability in the Google Agent Development Kit (ADK) affects various versions by allowing unauthenticated remote attackers to execute arbitrary code on the server. This poses serious risks to any deployed instances. Users of affected versions must upgrade to ensure security, particularly those running ADK Web locally.

Affected Version(s)

Agent Development Kit (ADK) 1.7.0 < 1.28.1

Agent Development Kit (ADK) 2.0.0a1 < 2.0.0a2

References

https://github.com/google/adk-python/blob/main/CHANGELOG....

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

Yoshizawa

CVE-2026-4810 Data

JSON