CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Security Findings in SageMaker Python SDK

unknownCVE-2026-1777CVE-2026-1778
Bulletin ID: 2026-004-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/02/02 14:30 PM PST Description: CVE-2026-1777 - Exposed HMAC in SageMaker Python SDK SageMaker Python SDK’s remote functions feature uses a per‑job HMAC key to protect the integrity of serialized functions, arguments, and results stored in S3. We identified an issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API. This allows third parties with DescribeTrainingJob permissions to extract the key, forge cloud-pickled payloads with valid HMACs, and overwrite S3 objects. CVE-2026-1778 - Insecure TLS Configuration in SageMaker Python SDK SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. We identified an issue where SSL certificate verification was globally disabled in the Triton Python backend. This configuration was introduced to work around SSL errors during model downloads from public sources (e.g., TorchVision) and it affected all HTTPS connections when the Triton Python model was imported. Impacted versions: - HMAC Configuration in SageMaker Python SDK v3 < v3.2.0 - HMAC Configuration in SageMaker Python SDK v2 < v2.256.0 - Insecure TLS Configuration in SageMaker Python SDK v3 < v3.1.1 - Insecure TLS Configuration in SageMaker Python SDK v2 < v2.256.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
HMAC secret key exposure and insecure TLS configuration issues were identified.
Who is affected
Users of the SageMaker Python SDK.
Urgency
Remediation is important due to the potential for key exposure and insecure configurations.
Action
Review and apply updates to the SageMaker Python SDK.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch SageMaker Python SDK

Get an email when a new SageMaker Python SDK advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-004-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-1777coverage & exploitation statusNVD · CVE.org
CVE-2026-1778coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins