CVE-2026-4810: Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability

April 13, 2026 (updated April 24, 2026)

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.

This vulnerability was patched in versions 1.28.1 and 2.0.0a2.

Customers need to redeploy the upgraded ADK to their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance.

References

github.com/advisories/GHSA-rg7c-g689-fr3x
github.com/google/adk-python
github.com/google/adk-python/blob/main/CHANGELOG.md
nvd.nist.gov/vuln/detail/CVE-2026-4810

Code Behaviors & Features

Detect and mitigate CVE-2026-4810 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →