CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-1778

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: 2026-004-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/02/02 14:30 PM PST Description: CVE-2026-1777 - Exposed HMAC in SageMaker Python SDK SageMaker Python SDK’s remote functions feature uses a per‑job HMAC key to protect the integrity of serialized functions, arguments, and results stored in S3. We identified an issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API. This allows third parties with DescribeTrainingJob permissions to extract the key, forge cloud-pickled payloads with valid HMACs, and overwrite S3 objects. CVE-2026-1778 - Insecure TLS Configuration in SageMaker Python SDK SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. We identified an issue where SSL certificate verification was globally disabled in the Triton Python backend. This configuration was introduced to work around SSL errors during model downloads from public sources (e.g., TorchVision) and it affected all HTTPS connections when the Triton Python model was imported. Impacted versions: - HMAC Configuration in SageMaker Python SDK v3 < v3.2.0 - HMAC Configuration in SageMaker Python SDK v2 < v2.256.0 - Insecure TLS Configuration in SageMaker Python SDK v3 < v3.1.1 - Insecure TLS Configuration in SageMaker Python SDK v2 < v2.256.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
HMAC secret key exposure and insecure TLS configuration issues were identified.
Who is affected
Users of the SageMaker Python SDK.
Urgency
Remediation is important due to the potential for key exposure and insecure configurations.
Action
Review and apply updates to the SageMaker Python SDK.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-1778

Get an email if CVE-2026-1778 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-1778

CVE.org record

Embed the live status

CVE-2026-1778 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-1778 status](https://www.csirts.com/badge/CVE-2026-1778)](https://www.csirts.com/cve/CVE-2026-1778)