Auth bypass in Google Cloud Agent Development Kit (Adk)

CVE-2026-4810

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to exec…

Vulnerability class: Broken Authentication

EPSS: 0.041 (88.8th percentile) — read the EPSS interpretation.