CVE-2026-8597 — HIGH (CVSS 7.2)

CISO Take

Amazon SageMaker Python SDK fails to verify the integrity of model artifacts fetched from S3 before passing them to the Triton inference handler, allowing any authenticated actor with S3 write access to the model artifact path to inject a malicious pickle payload that executes arbitrary code inside the inference container. While 'high privileges required' sounds limiting, S3 write permissions on model artifact buckets are routinely granted to CI/CD service accounts, data science teams, and ML engineers — making this a realistic insider threat and supply chain risk vector rather than a theoretical one. There is no evidence of active exploitation (not in CISA KEV, no public PoC), but the attack requires low complexity once access is obtained and achieves full container compromise (C:H/I:H/A:H). Upgrade to SageMaker SDK v2.257.2 or v3.8.0 immediately, rebuild all Triton models previously created with ModelBuilder, and audit S3 bucket policies to enforce least-privilege on model artifact paths.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 7.2 (High) accurately reflects real-world risk. The high privilege prerequisite (S3 write access to model artifact paths) is the primary mitigating factor, but this bar is lower than it appears in production cloud ML environments where CI/CD pipelines, data science roles, and shared ML accounts routinely hold broad S3 write permissions. Once that access exists, attack complexity is low — no user interaction required, and deserialization is triggered automatically during model loading. Full C:H/I:H/A:H impact within the inference container, with realistic potential for lateral movement to other AWS services via the instance IAM role. No active exploitation or public exploit exists at time of this analysis, which is the primary reason this does not rate critical.

Attack Kill Chain

Initial Access

Attacker obtains AWS IAM credentials with S3 write access to the SageMaker model artifact path via phishing, leaked CI/CD secrets, or a compromised developer workstation.

AML.T0012

Artifact Replacement

Attacker uploads a maliciously crafted pickle payload to S3, silently overwriting the legitimate Triton model artifact without triggering integrity alerts due to absent verification.

AML.T0010.003

Code Execution

SageMaker SDK's Triton inference handler deserializes the malicious pickle without verification on the next model load event, executing attacker-controlled code inside the inference container.

AML.T0018.002

Impact

Attacker achieves full inference container compromise: IAM credential theft via IMDS, exfiltration of proprietary model weights, inference output tampering, or lateral movement to other AWS services via the instance execution role.

AML.T0025

Initial Access

Attacker obtains AWS IAM credentials with S3 write access to the SageMaker model artifact path via phishing, leaked CI/CD secrets, or a compromised developer workstation.

AML.T0012

Artifact Replacement

Attacker uploads a maliciously crafted pickle payload to S3, silently overwriting the legitimate Triton model artifact without triggering integrity alerts due to absent verification.

AML.T0010.003

Code Execution

SageMaker SDK's Triton inference handler deserializes the malicious pickle without verification on the next model load event, executing attacker-controlled code inside the inference container.

AML.T0018.002

Impact

Attacker achieves full inference container compromise: IAM credential theft via IMDS, exfiltration of proprietary model weights, inference output tampering, or lateral movement to other AWS services via the instance execution role.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
sagemaker	pip	—	No patch
51 dependents 80% patched ~53d to patch Full package profile →
triton-inference-server	pip	—	No patch
10.6K OpenSSF 6.1 Pushed 6d ago 0% patched Full package profile →

Severity & Risk

CVSS 3.1

7.2 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR High

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Upgrade Amazon SageMaker Python SDK to v2.257.2 (v2 branch) or v3.8.0 (v3 branch) — treat as an emergency patch given production inference infrastructure exposure. 2) Rebuild all Triton models previously created with ModelBuilder using the patched SDK version; existing artifacts loaded by unpatched SDK versions may have been deserialized without verification. 3) Audit and restrict S3 IAM policies: model artifact paths should allow PutObject only to explicitly trusted principals (specific named CI/CD roles, no wildcards, no broad data-science group policies). 4) Enable S3 Object Versioning and CloudTrail S3 data events on model artifact buckets to detect unauthorized PutObject operations. 5) Consider S3 Object Lock (compliance mode) for production model artifacts to prevent replacement without governance approval. 6) Detection: query CloudTrail for s3:PutObject events on SageMaker model artifact prefixes from unexpected IAM principals, especially outside of scheduled deployment windows.

Classification

Supply Chain Code Execution Inference Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.3 - AI supply chain management

NIST AI RMF

MANAGE 4.1 - Residual risks from AI systems are monitored and managed

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-8597?

Amazon SageMaker Python SDK fails to verify the integrity of model artifacts fetched from S3 before passing them to the Triton inference handler, allowing any authenticated actor with S3 write access to the model artifact path to inject a malicious pickle payload that executes arbitrary code inside the inference container. While 'high privileges required' sounds limiting, S3 write permissions on model artifact buckets are routinely granted to CI/CD service accounts, data science teams, and ML engineers — making this a realistic insider threat and supply chain risk vector rather than a theoretical one. There is no evidence of active exploitation (not in CISA KEV, no public PoC), but the attack requires low complexity once access is obtained and achieves full container compromise (C:H/I:H/A:H). Upgrade to SageMaker SDK v2.257.2 or v3.8.0 immediately, rebuild all Triton models previously created with ModelBuilder, and audit S3 bucket policies to enforce least-privilege on model artifact paths.

Is CVE-2026-8597 actively exploited?

No confirmed active exploitation of CVE-2026-8597 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8597?

1) Upgrade Amazon SageMaker Python SDK to v2.257.2 (v2 branch) or v3.8.0 (v3 branch) — treat as an emergency patch given production inference infrastructure exposure. 2) Rebuild all Triton models previously created with ModelBuilder using the patched SDK version; existing artifacts loaded by unpatched SDK versions may have been deserialized without verification. 3) Audit and restrict S3 IAM policies: model artifact paths should allow PutObject only to explicitly trusted principals (specific named CI/CD roles, no wildcards, no broad data-science group policies). 4) Enable S3 Object Versioning and CloudTrail S3 data events on model artifact buckets to detect unauthorized PutObject operations. 5) Consider S3 Object Lock (compliance mode) for production model artifacts to prevent replacement without governance approval. 6) Detection: query CloudTrail for s3:PutObject events on SageMaker model artifact prefixes from unexpected IAM principals, especially outside of scheduled deployment windows.

What systems are affected by CVE-2026-8597?

This vulnerability affects the following AI/ML architecture patterns: ML model serving, MLOps pipelines, SageMaker inference endpoints, Triton inference infrastructure, S3-backed model registries.

What is the CVSS score for CVE-2026-8597?

CVE-2026-8597 has a CVSS v3.1 base score of 7.2 (HIGH).

Technical Details

NVD Description

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor with S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any Triton models previously created with ModelBuilder using the updated SDK.

Exploitation Scenario

An attacker compromises an AWS IAM credential with S3 write access to a SageMaker model artifact path — obtained via phishing a data scientist, a leaked .env file in a public GitHub repo, or a compromised CI/CD service account secret. They silently overwrite the legitimate Triton model artifact bundle in S3 with a crafted pickle payload embedding a reverse shell or AWS credential harvester. On the next SageMaker model deployment, endpoint refresh, or auto-scaling cold-start event, the SDK's Triton inference handler deserializes the artifact without integrity verification, triggering attacker-controlled code execution inside the inference container. The attacker then queries the EC2 IMDS endpoint for the instance profile credentials, assumes the SageMaker execution IAM role, accesses other AWS services (S3 buckets, Secrets Manager, other SageMaker endpoints), and can exfiltrate proprietary model weights or persist access — all while inference continues to appear operationally normal to monitoring systems.