CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues (CVE-2026-8596 & CVE-2026-8597)

unknownCVE-2026-8596CVE-2026-8597
Bulletin ID: 2026-031-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/14/2026 13:00 PM PDT Description: Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. The ModelBuilder component simplifies model deployment by automating model artifact preparation and SageMaker model creation. We identified two issues affecting the model artifact integrity verification mechanism in the ModelBuilder/Serve component: - CVE-2026-8596: We identified a cleartext storage of sensitive information issue in the ModelBuilder/Serve component. When building models using ModelBuilder, the SDK stored an HMAC signing key as a container environment variable (SAGEMAKER_SERVE_SECRET_KEY). This key was returned in plaintext by SageMaker describe APIs (DescribeModel, DescribeEndpointConfig, DescribeModelPackage). A remote authenticated actor with permissions to call these APIs and S3 write access to the model artifact path could extract the key, forge valid integrity signatures for specially crafted model artifacts, and achieve code execution in inference containers. - CVE-2026-8597: We identified a missing integrity verification issue in the Triton inference handler. The Triton handler deserialized model artifacts without performing integrity verification before execution. A remote authenticated actor with S3 write access to the model artifact path could replace model artifacts with a specially crafted pickle payload that would be deserialized without verification, achieving code execution in inference containers. Impacted versions: Amazon SageMaker Python SDK >= v2.199.0 AND <= v2.257.1, >= v3.0.0 AND <= v3.7.1 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Issues with model artifact integrity verification may expose sensitive information.
Who is affected
Users of the Amazon SageMaker Python SDK.
Urgency
Remediation is important due to potential exposure of sensitive information, although exploitation has not been confirmed.
Action
Review and apply necessary updates to the SageMaker Python SDK.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch SageMaker Python SDK

Get an email when a new SageMaker Python SDK advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-031-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-8596coverage & exploitation statusNVD · CVE.org
CVE-2026-8597coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins