CVE-2026-1778: SageMaker security flaw enables

CISO Take

If your organization uses SageMaker Python SDK with Triton inference backends, patch to v3.1.1 (v3.x) or v2.256.0 (v2.x) immediately — SSL verification was globally disabled, enabling MITM attackers to silently swap models or dependencies with malicious versions leading to RCE inside your inference containers. Exploitation requires network positioning, so prioritize patching in shared-network or multi-tenant cloud environments where blast radius is highest. No known active exploitation, but the attack surface covers every Triton workload downloading artifacts over HTTPS.

What is the risk?

Medium severity on paper (CVSS 5.9), but operationally significant for AI/ML pipelines. The High Attack Complexity (AC:H) reflects the MITM positioning requirement, which is non-trivial but achievable in cloud VPCs, shared inference clusters, or through compromised network appliances. The Integrity:High impact score accurately captures the worst case — silent model substitution is a catastrophic outcome for production AI systems since detection without artifact signing is nearly impossible. EPSS at 0.00009 and absence from CISA KEV suggest no active exploitation yet, but the vulnerability class (SSL stripping in ML runtimes) is well understood by supply chain attackers. Risk elevates significantly for organizations with multi-tenant inference infrastructure or CI/CD pipelines that pull models at runtime.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
SageMaker	pip	>= 3.0, < 3.1.1	`3.1.1`
51 dependents 100% patched ~36d to patch Full package profile →

Do you use SageMaker? You're affected.

How severe is it?

CVSS 3.1

5.9 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C None

I High

A None

What should I do?

6 steps

PATCH

Upgrade sagemaker Python package to v3.1.1 (pip install 'sagemaker>=3.1.1') or v2.256.0 ('sagemaker>=2.256.0'). Rebuild and redeploy all Triton-based SageMaker endpoints after patching.
AUDIT FORKS

If your team maintains a fork or vendored copy of the SageMaker SDK, manually apply commits 5e7a3ef and c809895 from the upstream repo.
SELF-SIGNED CERTS: Teams using internal CAs for model artifact downloads should embed the CA cert into the container image rather than relying on SDK-level overrides — the patched version requires this explicit opt-in.
ARTIFACT SIGNING

Independently of this CVE, implement model artifact signing (AWS Signer or Sigstore) to detect substitution attacks regardless of SSL status.
NETWORK CONTROLS

Apply VPC endpoint policies to restrict SageMaker containers to specific S3 buckets and model registries — reduces MITM surface.
DETECTION

Alert on unexpected outbound HTTPS connections from inference containers to non-approved model registries or package repos.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Inference Framework AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.001 - Malicious Package AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk management process A.6.2.3 - AI supply chain security A.8.5 - Information security for AI systems A.9.3 - Security of AI system inputs

NIST AI RMF

MANAGE 3.2 - Treatment of identified AI risks MAP 5.1 - Likelihood and impact of each identified risk MEASURE 2.5 - AI risks to critical assets are identified and evaluated

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-1778?

If your organization uses SageMaker Python SDK with Triton inference backends, patch to v3.1.1 (v3.x) or v2.256.0 (v2.x) immediately — SSL verification was globally disabled, enabling MITM attackers to silently swap models or dependencies with malicious versions leading to RCE inside your inference containers. Exploitation requires network positioning, so prioritize patching in shared-network or multi-tenant cloud environments where blast radius is highest. No known active exploitation, but the attack surface covers every Triton workload downloading artifacts over HTTPS.

Is CVE-2026-1778 actively exploited?

No confirmed active exploitation of CVE-2026-1778 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1778?

1. PATCH: Upgrade sagemaker Python package to v3.1.1 (pip install 'sagemaker>=3.1.1') or v2.256.0 ('sagemaker>=2.256.0'). Rebuild and redeploy all Triton-based SageMaker endpoints after patching. 2. AUDIT FORKS: If your team maintains a fork or vendored copy of the SageMaker SDK, manually apply commits 5e7a3ef and c809895 from the upstream repo. 3. SELF-SIGNED CERTS: Teams using internal CAs for model artifact downloads should embed the CA cert into the container image rather than relying on SDK-level overrides — the patched version requires this explicit opt-in. 4. ARTIFACT SIGNING: Independently of this CVE, implement model artifact signing (AWS Signer or Sigstore) to detect substitution attacks regardless of SSL status. 5. NETWORK CONTROLS: Apply VPC endpoint policies to restrict SageMaker containers to specific S3 buckets and model registries — reduces MITM surface. 6. DETECTION: Alert on unexpected outbound HTTPS connections from inference containers to non-approved model registries or package repos.

What systems are affected by CVE-2026-1778?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines, ML supply chain / artifact delivery.

What is the CVSS score for CVE-2026-1778?

CVE-2026-1778 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinestraining pipelinesML supply chain / artifact delivery

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.001 Malicious Package

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, A.6.2.3, A.8.5, A.9.3

NIST AI RMF: MANAGE 3.2, MAP 5.1, MEASURE 2.5

OWASP LLM Top 10: LLM05, LLM05:2025

What are the technical details?

Original Advisory

### Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found. ### Impact Arbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container. ### Impacted versions - SageMaker Python SDK v3 < v3.1.1 - SageMaker Python SDK v2 < v2.256.0 ### Patches This issue has been addressed in SageMaker Python SDK version [v3.1.1](https://github.com/aws/sagemaker-python-sdk/tree/1ab6d30401946e92fdbea18497675681649e0153) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes. ### Workarounds Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains. ### References If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Exploitation Scenario

An adversary with network access between a SageMaker Triton container and its upstream artifact source (e.g., through a compromised AWS Direct Connect appliance, a misconfigured VPC peering route, or a rogue DNS resolver) intercepts HTTPS requests made by the SDK during model loading. Because SSL verification is disabled, the TLS certificate mismatch raises no error. The attacker serves a modified PyTorch model file (.pt) or a malicious Python package from their controlled server, embedding a reverse shell or data exfiltration payload within the model's deserialization hooks (pickle-based RCE). The Triton container loads the artifact, executes the malicious code with the container's IAM role permissions, giving the attacker access to S3, Secrets Manager, or other AWS services scoped to that role — all without triggering a certificate alert or model integrity check.

Weaknesses (CWE)

CWE-295 Improper Certificate Validation Primary CWE-599 Missing Validation of OpenSSL Certificate Primary

CWE-295 — Improper Certificate Validation: The product does not validate, or incorrectly validates, a certificate.

[Architecture and Design, Implementation] Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
[Implementation] If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

Source: MITRE CWE corpus.