CVE-2026-4810

216.73.216.123

· Published 13/04/2026 09:16 · Modified 13/04/2026 15:01

Labels: CVE-2026-4810 2026-04-13 CVE-2026-4810 CWE-306 f45cbf4e-4146-4068-b7e1-655ffc2c548c

Essential information

Published: 13/04/2026 09:16
Modified: 13/04/2026 15:01
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This vulnerability was patched in versions 1.28.1 and 2.0.0a2. Customers need to redeploy the upgraded ADK to their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: f45cbf4e-4146-4068-b7e1-655ffc2c548c
NVD: View on NVD

Affected products (CPE)

Product	CPE
google / agent development kit	`cpe:2.3:a:google:agent_development_kit:1.7.0-1.28.1:::::::*`
google / agent development kit	`cpe:2.3:a:google:agent_development_kit:2.0.0a1-2.0.0a2:::::::*`