CVE-2026-8597: SageMaker: RCE via poisoned Triton model artifacts in S3

GHSA-rq6v-x3j8-7qgf HIGH
Published May 14, 2026
CISO Take

Amazon SageMaker Python SDK fails to verify the integrity of model artifacts fetched from S3 before passing them to the Triton inference handler, allowing any authenticated actor with S3 write access to the model artifact path to inject a malicious pickle payload that executes arbitrary code inside the inference container. While 'high privileges required' sounds limiting, S3 write permissions on model artifact buckets are routinely granted to CI/CD service accounts, data science teams, and ML engineers — making this a realistic insider threat and supply chain risk vector rather than a theoretical one. There is no evidence of active exploitation (not in CISA KEV, no public PoC), but the attack requires low complexity once access is obtained and achieves full container compromise (C:H/I:H/A:H). Upgrade to SageMaker SDK v2.257.2 or v3.8.0 immediately, rebuild all Triton models previously created with ModelBuilder, and audit S3 bucket policies to enforce least-privilege on model artifact paths.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 7.2 (High) accurately reflects real-world risk. The high privilege prerequisite (S3 write access to model artifact paths) is the primary mitigating factor, but this bar is lower than it appears in production cloud ML environments where CI/CD pipelines, data science roles, and shared ML accounts routinely hold broad S3 write permissions. Once that access exists, attack complexity is low — no user interaction required, and deserialization is triggered automatically during model loading. Full C:H/I:H/A:H impact within the inference container, with realistic potential for lateral movement to other AWS services via the instance IAM role. No active exploitation or public exploit exists at time of this analysis, which is the primary reason this does not rate critical.

How does the attack unfold?

Initial Access
Attacker obtains AWS IAM credentials with S3 write access to the SageMaker model artifact path via phishing, leaked CI/CD secrets, or a compromised developer workstation.
AML.T0012
Artifact Replacement
Attacker uploads a maliciously crafted pickle payload to S3, silently overwriting the legitimate Triton model artifact without triggering integrity alerts due to absent verification.
AML.T0010.003
Code Execution
SageMaker SDK's Triton inference handler deserializes the malicious pickle without verification on the next model load event, executing attacker-controlled code inside the inference container.
AML.T0018.002
Impact
Attacker achieves full inference container compromise: IAM credential theft via IMDS, exfiltration of proprietary model weights, inference output tampering, or lateral movement to other AWS services via the instance execution role.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
SageMaker pip >= 2.199.0, <= 2.257.1 2.257.2
51 dependents 100% patched ~36d to patch Full package profile →
Triton pip No patch
10.8K OpenSSF 6.2 Pushed 6d ago 0% patched Full package profile →

How severe is it?

CVSS 3.1
7.2 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step
  1. 1) Upgrade Amazon SageMaker Python SDK to v2.257.2 (v2 branch) or v3.8.0 (v3 branch) — treat as an emergency patch given production inference infrastructure exposure. 2) Rebuild all Triton models previously created with ModelBuilder using the patched SDK version; existing artifacts loaded by unpatched SDK versions may have been deserialized without verification. 3) Audit and restrict S3 IAM policies: model artifact paths should allow PutObject only to explicitly trusted principals (specific named CI/CD roles, no wildcards, no broad data-science group policies). 4) Enable S3 Object Versioning and CloudTrail S3 data events on model artifact buckets to detect unauthorized PutObject operations. 5) Consider S3 Object Lock (compliance mode) for production model artifacts to prevent replacement without governance approval. 6) Detection: query CloudTrail for s3:PutObject events on SageMaker model artifact prefixes from unexpected IAM principals, especially outside of scheduled deployment windows.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.3 - AI supply chain management
NIST AI RMF
MANAGE 4.1 - Residual risks from AI systems are monitored and managed
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-8597?

Amazon SageMaker Python SDK fails to verify the integrity of model artifacts fetched from S3 before passing them to the Triton inference handler, allowing any authenticated actor with S3 write access to the model artifact path to inject a malicious pickle payload that executes arbitrary code inside the inference container. While 'high privileges required' sounds limiting, S3 write permissions on model artifact buckets are routinely granted to CI/CD service accounts, data science teams, and ML engineers — making this a realistic insider threat and supply chain risk vector rather than a theoretical one. There is no evidence of active exploitation (not in CISA KEV, no public PoC), but the attack requires low complexity once access is obtained and achieves full container compromise (C:H/I:H/A:H). Upgrade to SageMaker SDK v2.257.2 or v3.8.0 immediately, rebuild all Triton models previously created with ModelBuilder, and audit S3 bucket policies to enforce least-privilege on model artifact paths.

Is CVE-2026-8597 actively exploited?

No confirmed active exploitation of CVE-2026-8597 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8597?

1) Upgrade Amazon SageMaker Python SDK to v2.257.2 (v2 branch) or v3.8.0 (v3 branch) — treat as an emergency patch given production inference infrastructure exposure. 2) Rebuild all Triton models previously created with ModelBuilder using the patched SDK version; existing artifacts loaded by unpatched SDK versions may have been deserialized without verification. 3) Audit and restrict S3 IAM policies: model artifact paths should allow PutObject only to explicitly trusted principals (specific named CI/CD roles, no wildcards, no broad data-science group policies). 4) Enable S3 Object Versioning and CloudTrail S3 data events on model artifact buckets to detect unauthorized PutObject operations. 5) Consider S3 Object Lock (compliance mode) for production model artifacts to prevent replacement without governance approval. 6) Detection: query CloudTrail for s3:PutObject events on SageMaker model artifact prefixes from unexpected IAM principals, especially outside of scheduled deployment windows.

What systems are affected by CVE-2026-8597?

This vulnerability affects the following AI/ML architecture patterns: ML model serving, MLOps pipelines, SageMaker inference endpoints, Triton inference infrastructure, S3-backed model registries.

What is the CVSS score for CVE-2026-8597?

CVE-2026-8597 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

ML model servingMLOps pipelinesSageMaker inference endpointsTriton inference infrastructureS3-backed model registries

MITRE ATLAS Techniques

AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.10.3
NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor with S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any Triton models previously created with ModelBuilder using the updated SDK.

Exploitation Scenario

An attacker compromises an AWS IAM credential with S3 write access to a SageMaker model artifact path — obtained via phishing a data scientist, a leaked .env file in a public GitHub repo, or a compromised CI/CD service account secret. They silently overwrite the legitimate Triton model artifact bundle in S3 with a crafted pickle payload embedding a reverse shell or AWS credential harvester. On the next SageMaker model deployment, endpoint refresh, or auto-scaling cold-start event, the SDK's Triton inference handler deserializes the artifact without integrity verification, triggering attacker-controlled code execution inside the inference container. The attacker then queries the EC2 IMDS endpoint for the instance profile credentials, assumes the SageMaker execution IAM role, accesses other AWS services (S3 buckets, Secrets Manager, other SageMaker endpoints), and can exfiltrate proprietary model weights or persist access — all while inference continues to appear operationally normal to monitoring systems.

Weaknesses (CWE)

CWE-354 — Improper Validation of Integrity Check Value: The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

  • [Implementation] Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
May 14, 2026
Last Modified
May 21, 2026
First Seen
May 14, 2026

Related Vulnerabilities