Skip to main content

CVE-2026-8596 & CVE-2026-8597: Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues

Bulletin ID: 2026-031-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/14/2026 12:45 PM PDT
 

Description:

Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. The ModelBuilder component simplifies model deployment by automating model artifact preparation and SageMaker model creation.

We identified two issues affecting the model artifact integrity verification mechanism in the ModelBuilder/Serve component:

  • CVE-2026-8596: We identified a cleartext storage of sensitive information issue in the ModelBuilder/Serve component. When building models using ModelBuilder, the SDK stored an HMAC signing key as a container environment variable (SAGEMAKER_SERVE_SECRET_KEY). This key was returned in plaintext by SageMaker describe APIs (DescribeModel, DescribeEndpointConfig, DescribeModelPackage). A remote authenticated actor with permissions to call these APIs and S3 write access to the model artifact path could extract the key, forge valid integrity signatures for specially crafted model artifacts, and achieve code execution in inference containers.

  • CVE-2026-8597: We identified a missing integrity verification issue in the Triton inference handler. The Triton handler deserialized model artifacts without performing integrity verification before execution. A remote authenticated actor with S3 write access to the model artifact path could replace model artifacts with a specially crafted pickle payload that would be deserialized without verification, achieving code execution in inference containers.

Impacted versions: Amazon SageMaker Python SDK >= v2.199.0 AND <= v2.257.1, >= v3.0.0 AND <= v3.7.1

Resolution:

These issues have been addressed in Amazon SageMaker Python SDK v2.257.2 and v3.8.0. We recommend upgrading to the latest version and rebuilding any models previously created with ModelBuilder using the updated SDK. Models created with affected versions may still have the HMAC key stored in their container environment variables until they are rebuilt with the patched SDK.

Workarounds:

If upgrading is not immediately possible, users can manually remove the SAGEMAKER_SERVE_SECRET_KEY environment variable from existing SageMaker models by recreating the model without this variable in the container environment configuration. Additionally, users should restrict S3 write access to model artifact paths to only trusted principals.

References:


Please email aws-security@amazon.com with any security questions or concerns.