CVE-2026-8596 — HIGH (CVSS 7.2)

CISO Take

The Amazon SageMaker Python SDK (versions 2.199.0–2.257.1 and 3.0.0–3.7.1) stores an HMAC model integrity signing key as a cleartext container environment variable returned verbatim by SageMaker's DescribeModel, DescribeEndpointConfig, and DescribeModelPackage APIs. An authenticated attacker holding describe API permissions plus S3 write access to the model artifact path can extract the key directly from the API response, forge valid HMAC signatures on a crafted malicious model artifact, and achieve code execution inside SageMaker inference containers under the execution role's full IAM permissions — a foothold into the broader AWS environment. With 51 downstream dependents and EPSS placing this in the top 73rd percentile for exploitation likelihood, the realistic threat profile is a compromised CI/CD credential or over-permissioned developer role — a common posture in ML teams. Organizations must immediately upgrade to SDK v2.257.2 or v3.8.0 and rebuild all ModelBuilder-deployed models, since models built with affected versions retain the exposed key in their configuration even after the SDK is patched.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

CVSS 7.2 High (AV:N/AC:L/PR:H/UI:N) with High impact across confidentiality, integrity, and availability. The primary guard — PR:H (high privileges required) — limits opportunistic exploitation; however, in AWS environments, IAM role proliferation and broadly-scoped CI/CD pipelines make the required access pattern common in practice. The chaining of cleartext credential disclosure with model artifact forgery and subsequent inference container code execution elevates operational risk meaningfully above the raw CVSS score. No public exploit or KEV listing at time of publication, but the attack requires no specialized AI/ML expertise beyond AWS API familiarity, lowering the bar for any attacker who already holds the prerequisite permissions.

Attack Kill Chain

Credential Discovery

Authenticated adversary calls DescribeModel, DescribeEndpointConfig, or DescribeModelPackage API and receives SAGEMAKER_SERVE_SECRET_KEY in cleartext from the container environment variables block.

AML.T0055

Artifact Forgery

Adversary crafts a malicious model artifact with embedded payload and computes a valid HMAC signature using the extracted key, ensuring it passes SageMaker's integrity verification on load.

AML.T0018

Artifact Delivery

Adversary overwrites the legitimate model artifact in the target S3 path with the malicious forged artifact using available S3 write permissions.

AML.T0010.001

Code Execution

SageMaker loads the forged artifact during inference, HMAC validation passes, and the payload executes inside the inference container with the execution role's full IAM permissions.

AML.T0050

Credential Discovery

Authenticated adversary calls DescribeModel, DescribeEndpointConfig, or DescribeModelPackage API and receives SAGEMAKER_SERVE_SECRET_KEY in cleartext from the container environment variables block.

AML.T0055

Artifact Forgery

Adversary crafts a malicious model artifact with embedded payload and computes a valid HMAC signature using the extracted key, ensuring it passes SageMaker's integrity verification on load.

AML.T0018

Artifact Delivery

Adversary overwrites the legitimate model artifact in the target S3 path with the malicious forged artifact using available S3 write permissions.

AML.T0010.001

Code Execution

SageMaker loads the forged artifact during inference, HMAC validation passes, and the payload executes inside the inference container with the execution role's full IAM permissions.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
sagemaker	pip	>= 2.199.0, <= 2.257.1	`2.257.2`
51 dependents 100% patched ~36d to patch Full package profile →

Do you use sagemaker? You're affected.

Severity & Risk

CVSS 3.1

7.2 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR High

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade sagemaker SDK to v2.257.2 (v2 branch) or v3.8.0 (v3 branch) immediately.
After upgrading, rebuild all models previously deployed with ModelBuilder — SDK upgrade alone does not fix already-deployed models with the key embedded in container configuration.
If immediate upgrade is not possible, manually recreate SageMaker models without the SAGEMAKER_SERVE_SECRET_KEY environment variable in the container environment configuration as a temporary workaround.
Detect exposure by auditing existing models: run aws sagemaker describe-model --model-name <name> and inspect the Containers[].Environment block for SAGEMAKER_SERVE_SECRET_KEY.
Tighten IAM: restrict DescribeModel, DescribeEndpointConfig, and DescribeModelPackage permissions to least-privilege; audit S3 bucket policies for model artifact paths to limit write access.
Treat any model artifact whose associated HMAC key was potentially exposed as untrusted until rebuilt.

Classification

Data Leakage Code Execution Supply Chain Inference Model Framework AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system security — sensitive data handling

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain risk management actions

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-8596?

The Amazon SageMaker Python SDK (versions 2.199.0–2.257.1 and 3.0.0–3.7.1) stores an HMAC model integrity signing key as a cleartext container environment variable returned verbatim by SageMaker's DescribeModel, DescribeEndpointConfig, and DescribeModelPackage APIs. An authenticated attacker holding describe API permissions plus S3 write access to the model artifact path can extract the key directly from the API response, forge valid HMAC signatures on a crafted malicious model artifact, and achieve code execution inside SageMaker inference containers under the execution role's full IAM permissions — a foothold into the broader AWS environment. With 51 downstream dependents and EPSS placing this in the top 73rd percentile for exploitation likelihood, the realistic threat profile is a compromised CI/CD credential or over-permissioned developer role — a common posture in ML teams. Organizations must immediately upgrade to SDK v2.257.2 or v3.8.0 and rebuild all ModelBuilder-deployed models, since models built with affected versions retain the exposed key in their configuration even after the SDK is patched.

Is CVE-2026-8596 actively exploited?

No confirmed active exploitation of CVE-2026-8596 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8596?

1. Upgrade sagemaker SDK to v2.257.2 (v2 branch) or v3.8.0 (v3 branch) immediately. 2. After upgrading, rebuild all models previously deployed with ModelBuilder — SDK upgrade alone does not fix already-deployed models with the key embedded in container configuration. 3. If immediate upgrade is not possible, manually recreate SageMaker models without the SAGEMAKER_SERVE_SECRET_KEY environment variable in the container environment configuration as a temporary workaround. 4. Detect exposure by auditing existing models: run `aws sagemaker describe-model --model-name <name>` and inspect the Containers[].Environment block for SAGEMAKER_SERVE_SECRET_KEY. 5. Tighten IAM: restrict DescribeModel, DescribeEndpointConfig, and DescribeModelPackage permissions to least-privilege; audit S3 bucket policies for model artifact paths to limit write access. 6. Treat any model artifact whose associated HMAC key was potentially exposed as untrusted until rebuilt.

What systems are affected by CVE-2026-8596?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference pipelines, SageMaker MLOps pipelines, multi-model endpoints.

What is the CVSS score for CVE-2026-8596?

CVE-2026-8596 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

## Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the ModelBuilder/Serve component stores an HMAC signing key in cleartext as a container environment variable, which is returned in plaintext by SageMaker describe APIs. ## Impact When using ModelBuilder to build and deploy models with affected model servers (TorchServe, Multi-Model Server, TensorFlow Serving, SMD, or Triton), the SDK generates an HMAC secret key for model artifact integrity verification and stores it as the SAGEMAKER_SERVE_SECRET_KEY environment variable in the SageMaker model container configuration. This environment variable is returned in plaintext by the DescribeModel, DescribeEndpointConfig, and DescribeModelPackage APIs. A remote authenticated actor with permissions to call these describe APIs and S3 write access to the model artifact path could extract the key, forge valid integrity signatures for specially crafted model artifacts, and achieve code execution in inference containers with the SageMaker execution role's IAM permissions. **Impacted versions:** >= v2.199.0 AND <= v2.257.1, >= v3.0.0 AND <= v3.7.1 ## Patches This issue has been addressed in Amazon SageMaker Python SDK v2.257.2 and v3.8.0. AWS recommend upgrading to the latest version and rebuilding any models previously created with ModelBuilder using the updated SDK. Models created with affected versions may still have the HMAC key stored in their container environment variables until they are rebuilt with the patched SDK. Ensure any forked or derivative code is patched to incorporate the new fixes. ## Workarounds If upgrading is not immediately possible, users can manually remove the SAGEMAKER_SERVE_SECRET_KEY environment variable from existing SageMaker models by recreating the model without this variable in the container environment configuration. ## References If there any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Exploitation Scenario

An adversary with compromised developer or CI/CD credentials — common in ML teams where IAM roles are broadly scoped — first enumerates SageMaker models via DescribeModel. The API response includes the container environment block with SAGEMAKER_SERVE_SECRET_KEY in cleartext. The attacker crafts a malicious TorchServe model archive containing a reverse shell payload, computes a valid HMAC signature using the extracted key so it passes integrity verification, and overwrites the legitimate artifact at the model's S3 path using available write permissions. On the next endpoint invocation or model reload, SageMaker fetches and validates the forged artifact — HMAC check passes — and executes the attacker's payload inside the inference container. The attacker now holds a shell running under the SageMaker execution role's IAM permissions, enabling lateral movement to other AWS services such as S3, Secrets Manager, and DynamoDB accessible within the same account.