AI Threat Alert AI Threat Alert

CVE-2026-1778: sagemaker: security flaw enables exploitation

GHSA-62rc-f4v9-h543 MEDIUM
Published February 2, 2026
CISO Take

If your organization uses SageMaker Python SDK with Triton inference backends, patch to v3.1.1 (v3.x) or v2.256.0 (v2.x) immediately — SSL verification was globally disabled, enabling MITM attackers to silently swap models or dependencies with malicious versions leading to RCE inside your inference containers. Exploitation requires network positioning, so prioritize patching in shared-network or multi-tenant cloud environments where blast radius is highest. No known active exploitation, but the attack surface covers every Triton workload downloading artifacts over HTTPS.

Risk Assessment

Medium severity on paper (CVSS 5.9), but operationally significant for AI/ML pipelines. The High Attack Complexity (AC:H) reflects the MITM positioning requirement, which is non-trivial but achievable in cloud VPCs, shared inference clusters, or through compromised network appliances. The Integrity:High impact score accurately captures the worst case — silent model substitution is a catastrophic outcome for production AI systems since detection without artifact signing is nearly impossible. EPSS at 0.00009 and absence from CISA KEV suggest no active exploitation yet, but the vulnerability class (SSL stripping in ML runtimes) is well understood by supply chain attackers. Risk elevates significantly for organizations with multi-tenant inference infrastructure or CI/CD pipelines that pull models at runtime.

Affected Systems

Package Ecosystem Vulnerable Range Patched
sagemaker pip >= 3.0, < 3.1.1 3.1.1
51 dependents 100% patched ~53d to patch Full package profile →

Do you use sagemaker? You're affected.

Severity & Risk

CVSS 3.1
5.9 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C None
I High
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade sagemaker Python package to v3.1.1 (pip install 'sagemaker>=3.1.1') or v2.256.0 ('sagemaker>=2.256.0'). Rebuild and redeploy all Triton-based SageMaker endpoints after patching.

  2. AUDIT FORKS

    If your team maintains a fork or vendored copy of the SageMaker SDK, manually apply commits 5e7a3ef and c809895 from the upstream repo.

  3. SELF-SIGNED CERTS: Teams using internal CAs for model artifact downloads should embed the CA cert into the container image rather than relying on SDK-level overrides — the patched version requires this explicit opt-in.

  4. ARTIFACT SIGNING

    Independently of this CVE, implement model artifact signing (AWS Signer or Sigstore) to detect substitution attacks regardless of SSL status.

  5. NETWORK CONTROLS

    Apply VPC endpoint policies to restrict SageMaker containers to specific S3 buckets and model registries — reduces MITM surface.

  6. DETECTION

    Alert on unexpected outbound HTTPS connections from inference containers to non-approved model registries or package repos.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Inference Framework AML.T0010.001 AML.T0010.003 AML.T0011.001 AML.T0018.002 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk management process A.6.2.3 - AI supply chain security A.8.5 - Information security for AI systems A.9.3 - Security of AI system inputs
NIST AI RMF
MANAGE 3.2 - Treatment of identified AI risks MAP 5.1 - Likelihood and impact of each identified risk MEASURE 2.5 - AI risks to critical assets are identified and evaluated
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-1778?

If your organization uses SageMaker Python SDK with Triton inference backends, patch to v3.1.1 (v3.x) or v2.256.0 (v2.x) immediately — SSL verification was globally disabled, enabling MITM attackers to silently swap models or dependencies with malicious versions leading to RCE inside your inference containers. Exploitation requires network positioning, so prioritize patching in shared-network or multi-tenant cloud environments where blast radius is highest. No known active exploitation, but the attack surface covers every Triton workload downloading artifacts over HTTPS.

Is CVE-2026-1778 actively exploited?

No confirmed active exploitation of CVE-2026-1778 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1778?

1. PATCH: Upgrade sagemaker Python package to v3.1.1 (pip install 'sagemaker>=3.1.1') or v2.256.0 ('sagemaker>=2.256.0'). Rebuild and redeploy all Triton-based SageMaker endpoints after patching. 2. AUDIT FORKS: If your team maintains a fork or vendored copy of the SageMaker SDK, manually apply commits 5e7a3ef and c809895 from the upstream repo. 3. SELF-SIGNED CERTS: Teams using internal CAs for model artifact downloads should embed the CA cert into the container image rather than relying on SDK-level overrides — the patched version requires this explicit opt-in. 4. ARTIFACT SIGNING: Independently of this CVE, implement model artifact signing (AWS Signer or Sigstore) to detect substitution attacks regardless of SSL status. 5. NETWORK CONTROLS: Apply VPC endpoint policies to restrict SageMaker containers to specific S3 buckets and model registries — reduces MITM surface. 6. DETECTION: Alert on unexpected outbound HTTPS connections from inference containers to non-approved model registries or package repos.

What systems are affected by CVE-2026-1778?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines, ML supply chain / artifact delivery.

What is the CVSS score for CVE-2026-1778?

CVE-2026-1778 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

### Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found. ### Impact Arbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container. ### Impacted versions - SageMaker Python SDK v3 < v3.1.1 - SageMaker Python SDK v2 < v2.256.0 ### Patches This issue has been addressed in SageMaker Python SDK version [v3.1.1](https://github.com/aws/sagemaker-python-sdk/tree/1ab6d30401946e92fdbea18497675681649e0153) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes. ### Workarounds Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains. ### References If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Exploitation Scenario

An adversary with network access between a SageMaker Triton container and its upstream artifact source (e.g., through a compromised AWS Direct Connect appliance, a misconfigured VPC peering route, or a rogue DNS resolver) intercepts HTTPS requests made by the SDK during model loading. Because SSL verification is disabled, the TLS certificate mismatch raises no error. The attacker serves a modified PyTorch model file (.pt) or a malicious Python package from their controlled server, embedding a reverse shell or data exfiltration payload within the model's deserialization hooks (pickle-based RCE). The Triton container loads the artifact, executes the malicious code with the container's IAM role permissions, giving the attacker access to S3, Secrets Manager, or other AWS services scoped to that role — all without triggering a certificate alert or model integrity check.

Weaknesses (CWE)

CWE-295 Improper Certificate Validation Primary CWE-599 Missing Validation of OpenSSL Certificate Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
February 2, 2026
Last Modified
February 3, 2026
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2026-1777 7.2

sagemaker: security flaw enables exploitation

Same package: sagemaker
MEDIUM CVE-2025-0508 5.9

SageMaker SDK: MD5 collision silently replaces ML workflows

Same package: sagemaker
HIGH GHSA-5r2p-pjr8-7fh7

sagemaker: Allowlist Bypass evades input filtering

Same package: sagemaker
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
Back to Threat Feed